NowSecure static analysis: Use of JavaScript Interface Potentially Exposes New Attack Vector

Finding Description

Your application is using addJavascriptInterface(). This may allow an attacker to execute arbitrary code on Android devices. The vulnerability is exploited by injecting JavaScript into a WebView which then would be loaded by the application and executed.

Steps to Reproduce

This test statically checks reverse engineered code for the usage of addJavascriptInterface().

Business Impact

The app is using a 3rd party library to communicate which is not secure. A malicious actor could remotely see and modify information coming to and from the app, potentially from multiple users at once.

Remediation Resources

Disable JavaScript and Plugin support if they are not needed. They are disabled by default but it is good practice to explicitly set these. Disable local file access. This restricts access to the app's resource and asset directory and mitigates against an attack from a web page which seeks to gain access to other locally accessible files. Prevent loading content from 3rd party hosts. This is tricky to completely prevent from within an app but a developer can override shouldOverrideUrlLoading and code shouldInterceptRequest to intercept, inspect, and validate most requests initiated from within a WebView. A whitelist scheme can also be implemented by using the URI class to inspect the components of a URI and ensure it matches a whitelist of approved resources. Google provides remediation steps at https://support.google.com/faqs/answer/9095419?hl=en and sample code can be found on GitHub.

This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for apps targeting JELLY_BEAN or earlier. Apps that target a version later than JELLY_BEAN are still vulnerable if the app runs on a device running Android earlier than 4.2. The most secure way to use this method is to target JELLY_BEAN_MR1 and to ensure the method is called only when running on Android 4.2 or later. With these older versions, JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content.

Risk and Regulatory Information

Severity: low CVSS: 3.1

CWE: 545
FISMA MED: SC-18 MOBILE CODE, SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
Risk OWASP: Mobile Top 10: M10-Extraneous Functionality
GDPR: Risks violating Article 25, Risks violating Article 32
FFIEC: May violate D3.PC.Im.I.6
PCI: May violate requirement 6.5
HIPAA: May violate §164.312(c)(1): Standard: Integrity., May violate §164.312(a)(1): Standard: Access control.
CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII
Google App Store Blockers: SC-W1 - JavaScript is disabled in all WebViews (unless required)., SC-W3 - WebViews do not use addJavaScriptInterface() with untrusted content.

Application

Platform: android
Package: com.subway.mobile.subwayapp03

See more detail in the NowSecure Report

lcimeni / youtube