I have a local HTML file using Javascript code. I'm using webview for loading the HTML file for my android app. I just display text content in my application. There are no navigations or user logins on my screen.
I 'm using setJavaScriptEnabled(true) and setWebViewClient in my Java code to load. I get a warning about XSS vulnerabilities for using setJavaScriptEnabled(true).
I'm not calling other .js or .css files either.
I'm not invoking any other websites in my application. Is my Android app secure enough from piracy or should I add additional code or steps to protect my application code from hackers? Please suggest.
Too late to post an answer. Hope this might be useful for people in future.
Android webview is highly vulnerable to cross site scripting since it doesnt have any preventive mechanisms that are used by modern browsers like Chrome or Firefox. Webview is also vulnerable to Insecure Direct Object References and SQL Injection.
The XSS vulnerability potential can be used to gain access to shared preference files using the file:/// command or can utilize smsJSInterface.launchSMSActivity to send unwanted SMS messages from the phone.
Either you have to disable javascript for webview Or, if you can't do this, be sure that each context is escaped properly by using an XSS filter component such as the OWASP Java Encoder Project.
Refer to this best answer
The question I linked you above has a lot of methods implemented by the guy that made the question. Excellent work of his, if you ask me. Still he is concerned about how secure is his app. Well, if you are developing for an old devices (4.0 and below) maybe using the techniques that he is using is the best option. Otherwise, just do what the best answer is suggesting and add this to your manifest:
<manifest>
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
. . .
<application> . . . </application> </manifest>
This will enable Safe Browsing for all WebViews in your app.
Good luck, hope it helped :)
Related
As https://support.google.com/faqs/answer/9084685 mentioned, "WebViews that enable JavaScript and load data read from untrusted Intents can be tricked by malicious apps into executing JavaScript code in an unsafe context. "
Does this mean that setJavaScriptEnabled(false) can fix the Cross App Scripting Vulnerability problem?
well, cross scripting won't work when you disable scripting (js) at all... look at points in Option 2 under link: all are related to JS and somehow limiting its usage. when you disable JS at all then there is nothing to limiting - scripting just doesn't work (also malicious)
note that there is a pleny of methods for breaking your app, with WebView there is potentially twice much...
The problem does not get solved by disabling javascript. Eg what happens if you insert html? might deface your app or site.
The best thing to do is validate ALL data as malicious until validated otherwise...
I am not a mobile dev really but I am sure you can add some way of authenticating the sources you deal with... Javascript Web Tokens are one way to handle this type of authentication. Perhaps someone with more android dev experience can correct me?
I thought this would be a common issue but I can't find an straight-forward answer to this problem. As soon as I included the Crosswalk WebView Engine for Android I'm getting the following Error Message:
"Only secure origins are allowed"
.... Presumably for http requests made to local and external servers (like http://localhost:3000 or https://my.own.server/) using the angular $http service.
What is THE Solution to this issue? After many hours of Googling I'm still clueless about how to solve this issue. Could you please point me in the right direction?
kind regards,
EDIT: This question is not related to permissions given in a server as it has been pointed out, it's actually related to Content Security Policy. As it can be read here, and I quote:
Controls which network requests (images, XHRs, etc) are allowed to be made (via webview directly).
You have to understand that the WebView in this case is Crosswalk (which is Chromium underneath) and I need it to be configured so that I can make requests to both: local servers (http://localhost:3000, etc) and external ones (https://my.own.server).
This question is more akin to this one in my opinion.
How do I configure Crosswalk for an Ionic/Cordova app?
If you own the server then the easiest way to handle this is to add response header for:
Access-Control-Allow-Origin: *
Here are some a discussion in Stackoverflow itself.
Origin is not allowed by Access-Control-Allow-Origin
Good luck.
The Phonegap documentation indicates that it is possible to get the app's browser wrapper to load a custom error URL instead of showing a generic message should the application encounter an error. I find myself asking two questions here:
From what I can tell this is an Android-only feature. So is there an equivalent method for iOS? The Phonegap iOS documentation does not say anything on the subject.
Secondly, can the error URL point to a separate HTML document in the project/www folder from which the application will be built or does it have to be an external URL. My thinking is that an external URL does not in fact make much sense - what if the application error happens when the user is not on a network?
I'd be most obliged to anyone who might be able to calriify these issues.
From OP
From what I can tell this is an Android-only feature. So is there an equivalent method for iOS? The Phonegap iOS documentation does not say anything on the subject.
There appears to be no equivalent for iOS in the documentation. You can safely assume, if it is not there, it is not available.
To be clear, the underlying iOS library has no default error method. On Android, there is a method for dealing with this.
Secondly, can the error URL point to a separate HTML document in the project/www folder from which the application will be built or does it have to be an external URL. My thinking is that an external URL does not in fact make much sense - what if the application error happens when the user is not on a network?
Your assumption is correct. The "error.html" should be on the device and in the www/ directory. The file should NOT be on the network/internet. You'd be surprised how many times I see this error.
I have a few questions about webRTC on android. I can say I'm new about android and webRTC but I can also say I made tooo much research about webRTC on android. But still have a few questions. (some of them because of I'm new, and some of them because of I'm okey but not fully)
I'm trying to make an android app which is going to communicate between web browser (first choice is chrome) and android device directly (p2p we can say). So I made too much research and I found webRTC is good for me. Do you advise me something other or is it okey you think? (also I am going to code a plugin for chrome).
Nearly every document says 'android is not directly support webRTC'. So I need something to provide me webRTC on android. What it is? Is it native android that I have to code? Is it native (NDK) library that I have to include my project? Or is it a java lib? Or should I go for cordova/crosswalk or sth like that? I researched all but didn't find something can help me. Yeah there are documents about it but not enough..
Some of documents says, I need chromium. But why and how? They show me lots of linux terminal commands and even there is no a line java or C or C++ code. Even some terminal commands and links that they give is not working.
I read/found/tried these things as a result of my research:
Apache cordova
Crosswalk
http://www.webrtc.org/
https://github.com/webrtc
http://webrtc.github.io/samples/
http://simonguest.com/2013/08/06/bui...t-for-android/
http://orcaman.blogspot.com.tr/2014/...tc-source.html
https://github.com/pchab/ProjectRTC
https://github.com/pchab/AndroidRTC
and something more..
in a nutshell I need help. Please give me your hand. Thank you. (because I'm really very helpless and tried to do my best)
Thank you.
As others have suggested, I recommend checking out g.co/webrtc. As I understand it, your goal is to make Android connect to a web browser using WebRTC. There are two (three) ways you can achieve that.
You can just use Chrome, Opera or Firefox for Android. All these browsers support WebRTC, and it allows you to use the same code for your web app, as for your Android app. With the new Add to homescreen support, as well as support for push notifications from web apps on Android, this could be a very good solution for you.
You can use the Android native WebRTC library, available from WebRTC.org. As mentioned in my article, I recommend using the pristine.io compiled library, available from MavenCentral.
If you can limit your application to Lollipop, you can use WebView, which support WebRTC now iirc. I don't know much about it though.
And the best resource for getting help is discuss-webrtc. It's a lot more active than StackOverflow.
The title says it all. I would like to know about everything what the WebView is asking for. Some weird limitations like not knowing about XHR POST are not acceptable. In other words, something like iOS have in NSURLProtocol. That one is application-wide hook. I don't need such level of control, WebView-instance-specific hook would be good enough. Now, i know that nothing like that exists on Android out of the box. I know about shouldOverrideUrlLoading and shouldInterceptRequest, but it's largely unusable. I need to know about requests (method, HTTP version, headers, you know) not just merely the URL strings. Moreover the intercepting is awkwardly synchronous. What happens if shouldInterceptRequest call is blocked because i need to ask a different server for related resource? It appears to me being designed just for a local resource caching.
On the other hand, i am willing to throw anything at the problem. Some kind of native library, hooking into low level internals? Extending Chromium interfaces with help of an existing project (pwnall, mogoweb)? Reflecting into the existing webkit class privates? Application-specific proxy? Any insights appreciated. I have read through two dozens of existing SO questions. They all either suggest a partial hack (like working around XHR POST deficiency with JavaScript) or it goes unresponded altogether, very often.
Try with inspeckage:
https://github.com/ac-pm/Inspeckage
It needs Xposed and root access to work. I've been able to see WebView requests from apps. Im figuring out how to recreate them with Python's requests module.
Hope that helps.
If I understand your goal - try:
WebView.setWebContentsDebuggingEnabled(true);
Open Chrome and go to url chrome://inspect/#devices
for details:
https://developers.google.com/web/tools/chrome-devtools/remote-debugging
https://developers.google.com/web/tools/chrome-devtools/remote-debugging/webviews