Your application is using addJavascriptInterface(). This may allow an attacker to execute arbitrary code on Android devices. The vulnerability is exploited by injecting JavaScript into a WebView which then would be loaded by the application and executed.
Recommendation
Disable JavaScript and Plugin support if they are not needed. They are
disabled by default but it is good practice to explicitly set these.
Disable local file access. This restricts access to the app's resource
and asset directory and mitigates against an attack from a web page
which seeks to gain access to other locally accessible files. Prevent
loading content from 3rd party hosts. This is tricky to completely
prevent from within an app but a developer can override shouldOverrideUrlLoading
and code shouldInterceptRequest to intercept,
inspect, and validate most requests initiated from within a WebView. A
whitelist scheme can also be implemented by using the URI class to
inspect the components of a URI and ensure it matches a whitelist of
approved resources. Google provides remediation steps at https://support.google.com/faqs/answer/9095419?hl=en
and sample code can be found on GitHub.
This method can be used to allow JavaScript to control the host
application. This is a powerful feature, but also presents a security risk
for apps targeting JELLY_BEAN or earlier. Apps that target a version later
than JELLY_BEAN are still vulnerable if the app runs on a device running
Android earlier than 4.2. The most secure way to use this method is to
target JELLY_BEAN_MR1 and to ensure the method is called only when
running on Android 4.2 or later. With these older versions, JavaScript
could use reflection to access an injected object's public fields. Use of
this method in a WebView containing untrusted content could allow an
attacker to manipulate the host application in unintended ways, executing
Java code with the permissions of the host application. Use extreme care
when using this method in a WebView which could contain untrusted
content.
Summary
Your application is using
addJavascriptInterface()
. This may allow an attacker to execute arbitrary code on Android devices. The vulnerability is exploited by injecting JavaScript into a WebView which then would be loaded by the application and executed.Recommendation
Disable JavaScript and Plugin support if they are not needed. They are disabled by default but it is good practice to explicitly set these. Disable local file access. This restricts access to the app's resource and asset directory and mitigates against an attack from a web page which seeks to gain access to other locally accessible files. Prevent loading content from 3rd party hosts. This is tricky to completely prevent from within an app but a developer can override
shouldOverrideUrlLoading
andcode shouldInterceptRequest
to intercept, inspect, and validate most requests initiated from within a WebView. A whitelist scheme can also be implemented by using the URI class to inspect the components of a URI and ensure it matches a whitelist of approved resources. Google provides remediation steps at https://support.google.com/faqs/answer/9095419?hl=en and sample code can be found on GitHub.This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for apps targeting JELLY_BEAN or earlier. Apps that target a version later than JELLY_BEAN are still vulnerable if the app runs on a device running Android earlier than 4.2. The most secure way to use this method is to target JELLY_BEAN_MR1 and to ensure the method is called only when running on Android 4.2 or later. With these older versions, JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content.
Risk and Regulatory Information
Severity: low CVSS: 3.1
Application
See more detail in the NowSecure Report