Attacks on android webviews
In this series of articles so far, we have discussed various techniques to identify and exploit vulnerabilities in Android applications. In the previous article, we have seen how to exploit debuggable Android applications. In this article, let's discuss the vulnerabilities associated with Android WebViews.
11 courses, 8+ hours of training
Topics covered
- Introduction to Android WebViews
- Implementing WebViews in Android apps
- Security issues
- Exploiting Android WebView vulnerabilities using Metasploit
- Using QR Code attacks
Let's begin.
Introduction to WebViews
When developing an Android app, we can load a remote URL or display HTML pages stored in our application within an activity using WebView. Internally it uses WebKit rendering engine to display web pages. It supports methods to navigate forward and backward, text searches, etc. It has some nice features such as support for the usage of JavaScript.
Implementing WebViews in android apps
Implementing WebViews in Android applications is pretty simple. Initially, we will have to set up all the required Android project setup like any other Android application project. Then, we will have to create an object for WebView Class to use its functionality. Here is a sample code snippet of how we can do this.
In order to load an Internet website:
WebView webview = (WebView) findViewById(R.id.mywebview);
webview.loadUrl("http://website.com");
Since we are accessing an Internet application, we need to have Internet access in order for this to work. So, we need to request for INTERNET by placing the following line in the AndroidManifest.xml file:
<uses-permission android_name="android.permission.INTERNET" />
In order to load a file from the file system:
WebView webview = (WebView) findViewById(R.id.mywebview);
webwiew.loadUrl("file:///android_asset/www/file.html");
Security issues
As mentioned in the beginning, WebView supports usage of JavaScript. If the application being loaded into WebView requires JavaScript support, it can be enabled by using the following line.
WebView webview = (WebView) findViewById(R.id.mywebview);
WebSettings webSettings = myWebView.getSettings();
webSettings.setJavaScriptEnabled(true);
Another powerful feature in WebView is exposing a Java object's methods to be accessed from JavaScript.
This is one of the important features which requires a keen eye when implementing, as it can be exploited by passing malicious JavaScript to the application's interface. Below is a sample code snippet by @jduck on how it can be implemented and exploited.
https://github.com/jduck/VulnWebView/
Exploiting android WebView vulnerabilities using Metasploit
In this section, we will see how to exploit a recent vulnerability which affected most of the Android devices. This attack works on all the devices running on Android version 4.2 (JellyBean) and earlier.
- Launch your Metasploit by typing "msfconsole" in a new terminal.
- Type "search android" to see all the exploits associated with Android. You should see the screen below (make sure you have updated your Metasploit to see the screen).
We are going to use the exploit highlighted in the above figure, which uses vulnerable WebView components. You can get other information about this exploit by using the "info" command.
- To load the exploit, we can use the command "use <exploit>" as shown below.
- Now, we can see the options to be set by giving the "show options" command.
- IP address and Port to start a reverse handler can be set manually; otherwise it automatically takes the default values.
In our case, we are leaving the default values and setting the URI PATH as shown below.
- Once after setting up everything, execute the "exploit" as a command to start a reverse handler.
As we can see in the above figure, a reverse handler has been started at http://192.168.1.104/srini0x00. We can directly share this URL with the victim. Once he opens it, it will open up a shell on the device as shown in the figure below.
Using QR code attacks
To make this attack even more convincing, we can embed the above URL into a QRCode image. If a victim scans it using a QR code scanner, the URL will automatically pop up and will be opened in a browser.
This can be achieved using Social Engineering Toolkit.
Steps:
- Open up your Social Engineering Toolkit in Kali Linux by following the path given below.
KaliLinux -> Exploitation Tools -> Social Engineering ToolKit -> se-toolkit
- Select Social Engineering Attacks followed by QRCode Generator Attack Vector as shown in the figure below.
- Now, we have to enter the URL to be embedded into the QRCode image as shown in the figure below. In our case, this is http://192.168.1.104/srini0x00
As we can see in the above figure, a QRCode has been generated.
If you go to the location where it is saved, it looks as shown in the figure below.
- If a victim scans this QRCode with QRCode scanner app from his Android device, it will open it up in a browser and a remote session will be opened in Metasploit.
QRCode opening the URL in a browser
Session Opened in Metasploit
- Let's have a look at all the active sessions.
- Now, let's start interacting with the session appeared in the previous step. This is shown in the following figure.
- I have set my path to system/bin and am now executing the command "cat /proc/cpuinfo" to see the CPU information on the device.
Conclusion
In this article, we have discussed attacks associated with WebViews. We can use Drozer for finding and exploiting these vulnerabilities in Android apps. I have provided a link as a reference if you are interested to use Drozer for this.
11 courses, 8+ hours of training
Sources
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- Attacks on android webviews
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security