WebView: what it is and how attackers use it
Android System WebView is a system component that is responsible for opening web pages inside other applications. It allows you to track user actions — there is access to detailed statistics. You can’t do this with a link to a third-party browser.
Despite its popularity and advantages, the embedded browser is often fraught with cyber threats. And, as a rule, Android application developers are not to blame for this.
Links in applications do not always open in the browser — the user can remain in the interface of the mobile application. Such built-in web pages, for example, are available in social networks and instant messengers. You can create them using the WebView component, which has recently become very popular in mobile development.
High interest in it arose against the background of many advantages. However, experts warn that you need to use the technology wisely. It has vulnerabilities that may be of interest to cyber fraudsters.
What is WebView
Android System WebView is a system component that is responsible for opening web pages inside other applications. It allows you to track user actions — there is access to detailed statistics. With the transition to the link in a third-party browser, this cannot be done.
There are obvious advantages on the user side — with WebView, the speed of loading content is higher and device resources are less spent than when clicking on a link to a third-party browser.
Why it’s popular
Recently, WebView has been of particular interest to marketers. They use it as an inexpensive testing ground to test their hypotheses. In WebView, you can build communication with the client in different ways — for example, add online chat and push notifications, and then track the reaction. It’s also easier to test marketing scenarios and segment your target audience.
Another case is that WebView is used as a separate stage of development or as an MVP (Minimal Viable Product). The component helps to quickly assess how the feature will be implemented on two platforms at once — in the application and on the web. The same goes for the appearance of bugs and vulnerabilities. They are also easier to track at the time of connecting the component.
And finally, the third popular use case for WebView is that it can completely replace a company’s website. It has recently been used by financial and other organizations that have had to face online sanctions.
Fly in the ointment, or What’s wrong with WebView
Despite its popularity and advantages, the embeddable browser is often fraught with cyber threats. And, as a rule, the developers of the Android application are not to blame for this.
Sergey Polunin,
Head of the Infrastructure IT Protection Group, Gazinformservice
The default settings in the modern version of Android provide a basic level of WebView security. However, application developers almost always make their own settings and changes to this component. That is why, when connecting it, you should not forget about the risks of information security.
Usually, vulnerabilities in WebView are discovered before attackers have time to exploit them. This is what happened with the Galaxy App Store, which was reported by Samsung in early 2023. Also, without casualties, the story ended with a bug in the Tik-Tok webview component, which Microsoft discovered in 2022.
According to experts, the main problem with WebView is the same as any third-party browser. It lies in the fact that unauthorized access can be obtained to it and information that is sent to the back-end application can be intercepted. In particular, there are always risks of an XSS attack, in which an attacker injects malicious code into a web page and steals user data.
Vladislav Gusev
, Director of the IT company GUSCOM,
WebView is convenient and practical, but the component can also create potential vulnerabilities. For example, it can download malicious content for a user or device. The reasons may be the use of outdated libraries and APIs, as well as incorrect configuration of the component.
At the same time, as a component that is responsible for opening links, WebView can display pages both from a remote site and those that are stored locally. Most often — in the resources of the application.
Alexander Gerasimov
CISO Awillix
This is how developers implement a caching mechanism to provide support for offline mode. Worse — if from local memory. Even worse — if from the shared. Here we add various ways to forcibly redirect the display path through classic path attacks, as well as special cases, for example, android.net.URI, shouldOverrideUrlLoading, DeepLink processing problems, and so on.
At the same time, WebView, if we consider it as an extension class of the View class in Android, can provide additional configurations that make it possible to carry out attacks from the application. For example, the @JavascriptInterface annotation will allow you to create an interface for JavaScript to run in the WebView for all pages that will be loaded. In case an insecure protocol is used somewhere, this can be used to inject JS code into the application.
The expert recalls that WebView is also a fragment of the Android ecosystem, so problems with data storage cannot be ruled out. They may not be tied to the business scenario of the application, but they can be used on some screens, stored locally, and stored for a very long time.
Safety with WebView
To ensure the protection of an application with a built-in browser from Android, Cyber Media interlocutors advise:
- use HTTPS — interaction with the servers where the back-end is hosted must be encrypted,
- competently manage SSL — it is necessary to provide for a situation where a secure connection cannot be established,
- Enable JavaScript only for secure content that you can manage yourself,
- disable WebView’s access to the device’s file system,
- create white lists of addresses that can be accessed by the built-in browser,
- always check the source and content of web pages before integrating them with WebView,
- control and filter all user data before displaying it in the embedded browser, and use the Content Security Policy (CSP) to restrict the sources from which content is allowed to be downloaded,
- regularly update the libraries and APIs used to avoid vulnerabilities associated with outdated code,
- restrict access to cross-site resources — configure the WebView so that it does not provide access to the resources of other sites, thereby preventing data leakage,
- Regularly test the security of the application for vulnerabilities using specialized tools and services.
At the same time, experts agree that you need to start building protection with a competent audit of the application. Only he will make it clear what measures will be needed in each case and whether WebView is needed at all.
Results
What is WebView? First of all, it is a convenient developer tool. At best, it can be an advantage that the owner and users of the application will appreciate. At worst, intruders.
Nevertheless, WebView is increasingly becoming a mandatory step in creating a mobile application. It helps to test hypotheses, replace website pages, and even solve companies’ problems related to sanctions.
All these are important reasons to be aware of vulnerabilities when connecting a component. Fortunately, there are not many of them.
We Got More Tools For #Price
#Update #tutorial #rianews #software #hardware #technology #money #earning #ipmc #love #giveaways #computing #computers #informationtechnology #learning #AI #redfishiaven #servers #deepweb #darkweb #bitcoin
See REDFISH IA VEN ( https://goo.gl/maps/LVKkEYNN2LTe9C34A ) in Google Maps.
https://www.youtube.com/channel/UC6k_cFigPCSEtRyALo1D-tA
Be the First To Know About The New #software
