As https://support.google.com/faqs/answer/9084685 mentioned, "WebViews that enable JavaScript and load data read from untrusted Intents can be tricked by malicious apps into executing JavaScript code in an unsafe context. "
Does this mean that setJavaScriptEnabled(false) can fix the Cross App Scripting Vulnerability problem?
well, cross scripting won't work when you disable scripting (js) at all... look at points in Option 2 under link: all are related to JS and somehow limiting its usage. when you disable JS at all then there is nothing to limiting - scripting just doesn't work (also malicious)
note that there is a pleny of methods for breaking your app, with WebView there is potentially twice much...
The problem does not get solved by disabling javascript. Eg what happens if you insert html? might deface your app or site.
The best thing to do is validate ALL data as malicious until validated otherwise...
I am not a mobile dev really but I am sure you can add some way of authenticating the sources you deal with... Javascript Web Tokens are one way to handle this type of authentication. Perhaps someone with more android dev experience can correct me?
Related
I have a project in which I have to perform a a FHIR validation. I have implemented this functionality in a regular Java application using the hapi-fhir library with the Instance Validator and Schematron Validator. I am trying to do the same for android but I have concluded that hapi-fhir using a caching library (caffeine) which is not supported in android.
Is there any way I can implement this? Maybe bypass caffeine caching or something I can't think of?
Any suggestions can be very helpful!!
My advice would definitely be to offload any StructureDefinition (i.e profile) validation to a server, e.g. by calling the $validate operation.
FHIR's native validation capabilities are really powerful, but they are by their nature very compute-intensive which is always going to be problematic on a mobile device.
For what it's worth, the approach I've seen people take generally is to hand-roll any validation rules on the device that are required for a good UI experience (e.g. mandatory fields and that kind of thing) but then to defer the complex structuredefinition rules until the data hits a server.
I thought this would be a common issue but I can't find an straight-forward answer to this problem. As soon as I included the Crosswalk WebView Engine for Android I'm getting the following Error Message:
"Only secure origins are allowed"
.... Presumably for http requests made to local and external servers (like http://localhost:3000 or https://my.own.server/) using the angular $http service.
What is THE Solution to this issue? After many hours of Googling I'm still clueless about how to solve this issue. Could you please point me in the right direction?
kind regards,
EDIT: This question is not related to permissions given in a server as it has been pointed out, it's actually related to Content Security Policy. As it can be read here, and I quote:
Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
You have to understand that the WebView in this case is Crosswalk (which is Chromium underneath) and I need it to be configured so that I can make requests to both: local servers (http://localhost:3000, etc) and external ones (https://my.own.server).
This question is more akin to this one in my opinion.
How do I configure Crosswalk for an Ionic/Cordova app?
If you own the server then the easiest way to handle this is to add response header for:
Access-Control-Allow-Origin: *
Here are some a discussion in Stackoverflow itself.
Origin is not allowed by Access-Control-Allow-Origin
Good luck.
I have a local HTML file using Javascript code. I'm using webview for loading the HTML file for my android app. I just display text content in my application. There are no navigations or user logins on my screen.
I 'm using setJavaScriptEnabled(true) and setWebViewClient in my Java code to load. I get a warning about XSS vulnerabilities for using setJavaScriptEnabled(true).
I'm not calling other .js or .css files either.
I'm not invoking any other websites in my application. Is my Android app secure enough from piracy or should I add additional code or steps to protect my application code from hackers? Please suggest.
Too late to post an answer. Hope this might be useful for people in future.
Android webview is highly vulnerable to cross site scripting since it doesnt have any preventive mechanisms that are used by modern browsers like Chrome or Firefox. Webview is also vulnerable to Insecure Direct Object References and SQL Injection.
The XSS vulnerability potential can be used to gain access to shared preference files using the file:/// command or can utilize smsJSInterface.launchSMSActivity to send unwanted SMS messages from the phone.
Either you have to disable javascript for webview Or, if you can't do this, be sure that each context is escaped properly by using an XSS filter component such as the OWASP Java Encoder Project.
Refer to this best answer
The question I linked you above has a lot of methods implemented by the guy that made the question. Excellent work of his, if you ask me. Still he is concerned about how secure is his app. Well, if you are developing for an old devices (4.0 and below) maybe using the techniques that he is using is the best option. Otherwise, just do what the best answer is suggesting and add this to your manifest:
<manifest>
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
. . .
<application> . . . </application> </manifest>
This will enable Safe Browsing for all WebViews in your app.
Good luck, hope it helped :)
The title says it all. I would like to know about everything what the WebView is asking for. Some weird limitations like not knowing about XHR POST are not acceptable. In other words, something like iOS have in NSURLProtocol. That one is application-wide hook. I don't need such level of control, WebView-instance-specific hook would be good enough. Now, i know that nothing like that exists on Android out of the box. I know about shouldOverrideUrlLoading and shouldInterceptRequest, but it's largely unusable. I need to know about requests (method, HTTP version, headers, you know) not just merely the URL strings. Moreover the intercepting is awkwardly synchronous. What happens if shouldInterceptRequest call is blocked because i need to ask a different server for related resource? It appears to me being designed just for a local resource caching.
On the other hand, i am willing to throw anything at the problem. Some kind of native library, hooking into low level internals? Extending Chromium interfaces with help of an existing project (pwnall, mogoweb)? Reflecting into the existing webkit class privates? Application-specific proxy? Any insights appreciated. I have read through two dozens of existing SO questions. They all either suggest a partial hack (like working around XHR POST deficiency with JavaScript) or it goes unresponded altogether, very often.
Try with inspeckage:
https://github.com/ac-pm/Inspeckage
It needs Xposed and root access to work. I've been able to see WebView requests from apps. Im figuring out how to recreate them with Python's requests module.
Hope that helps.
If I understand your goal - try:
WebView.setWebContentsDebuggingEnabled(true);
Open Chrome and go to url chrome://inspect/#devices
for details:
https://developers.google.com/web/tools/chrome-devtools/remote-debugging
https://developers.google.com/web/tools/chrome-devtools/remote-debugging/webviews
(re-post from the PG google group)
I know there's been a lot of conversation on this in the past, but I've been researching it for the past few days and couldn't seem to find a definitive answer (or even what it would entail).
I was wondering how plausible it would be to embed a snapshot build of the Chrome webview (or even the Gecko webview) into a Phonegap app and to use that in place of the native webview that PhoneGap uses. The problem is twofold - 1) Android's native browser/webview is terrible and 2) Each phone seems to have idiosyncratic bugs/differences, which having one set snapshot to build against would fix.
I've seen answers ranging from "Oh, yeah, just build the source and drop it in" to "You'd need a full team of Java devs to hack the PhoneGap API core to get it to work". Does anyone have an answer of what it would entail, how much time it would take, if it's even plausible, etc? I suppose the biggest concern is - given we can get a snapshot build of the Chrome webview, does that break any of the connections to the PhoneGap APIs? Are they tied specifically to the native webview?
Any and all thoughts are appreciated. Thanks!
Chrome has the ability to be embedded by use of the Content Module. In theory (I have never done it) you can build this and embed it into your Application and use that instead of a WebView - it has the advantage of being an up to date Chrome and multi-process. It loses value in that it can't be used pre-Jellybean.