Exploiting Input Validation in Webview – #8 DIVA Solution

Android Webview is component via which developers can provide browsing website access to users within their apps. However embedding webview may turn risky if not properly handled. Since several browsers have capability of running multiple URI schema like ftp, http, https, file, etc. Taking this advantage attacker can exploit webview and can use it to view contents within the localstorage using file URI schema. This attack neither require root device nor app in debug mode, just requirement is a webview with address bar or webview taking user input to load a URL.

The video demonstrates DIVA app to understand how can webview be exploited. First lets see what app does normally, by entering http://www.nestedif.com . This would load webpage with over the internet and display to you. Now lets try exploiting it, we shall target to view file present within app sandbox and view user credentials without root access.


Download
DIVA.apk

file:///data/data/jakhar.aseem.diva/shared_prefs/jakhar.aseem.diva_preferences.xml

On entering the above URI, did you notice that it displayed the content of the file in cleartext (make sure file is created, before you try this). Since SharedPreference is protected by App sandbox, so any unwanted app cannot view the files. Since we accessed webview of same app whose file we were trying to access OS grants permission to read file. Same way you can view content from SD Card as well, by entering path of file name within SD Card (you might have to check your SD Card mount point to get full path).

Note :

Since OS 6, app permission model has changed so you might get access denied error, you have to grant file read-write permission from app setting for the first time. 

 

Risk is narrowed down here as if not our app then attacker can access SD Card via some other apps like File Explorers. However we cannot neglect it, supposing if any sensitive info. is left in cleartext within app sandbox, one webview can be a hole in the wall in this case. Here comes a big risk when someone is going to use the device as MDM solution, where user is only allowed to use a fixed app, without access to any other location (e.g. A tablet used as a ticket kiosk where a single app turns up for ticketing, here you cannot even go to home of device).

Remediation

  • Making webviews without address bar so that user cannot enter own URI.
  • In case if user has to be provided with address bar as per requirement – Use proper user input validation considering any user data as untrusted. Whitelisting – Blacklisting (less preferred) – Regex matching can be used to identify malicious user input.

Report Errors + Bugs & Become Insider for Nestedif.com

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to insider@nestedif.com you could help other peers.