使用 Webview/javascript 的 Android 应用程序。什么是安全问题?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15736660/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Android App using Webview/javascript. what can be security concern?
提问by Amit sinha
I am creating an android web app using Webviewand Javascriptmaking addJavascriptInterface(true).
我正在使用Webview和Javascript制作addJavascriptInterface(true).
My App will content data(html) that will be loaded from an external site.
我的应用程序将包含将从外部站点加载的数据(html)。
I worried about the cross-site-scripting XSS/securityof my app as I am enabling addJavascriptInterface(true).
当我启用 addJavascriptInterface(true) 时,我担心我的应用程序的跨站点脚本 XSS/安全性。
What are the things I should be taking care so that any malicious code should not run on my app ?
我应该注意哪些事项以免任何恶意代码在我的应用程序上运行?
回答by Azurespot
I found a good study from Syracuse University called Attacks on WebView in the Android System, which illustrates how using a WebViewwith addJavascriptInterface(true)can enable two kinds of attacks. One, from a malicious website that will now have access to your app via the phone services you assign to the interface (e.g. Contacts, Camera, etc.) or two, a malicious app can have access to a vulnerable website, by inserting code into its Javascript.
我在 Syracuse 大学找到了一个很好的研究,叫做Attacks on WebView in the Android System,它说明了使用WebViewwithaddJavascriptInterface(true)可以如何启用两种攻击。一,恶意网站现在可以通过您分配给界面的电话服务(例如联系人,相机等)访问您的应用程序或两个,恶意应用程序可以访问易受攻击的网站,方法是将代码插入到它的Javascript。
Basically the fix for app developers is to insure that in WebView, no other URL other than that intended is allowed to be viewed in your WebView. For example, say you embed Facebook.com into your WebView, you can write code to insure that if any other advertisement in Facebook is clicked, that the external browser will open instead of displaying in your WebView. This is most common through iFrames... although the article goes more into depth about that.
基本上,应用程序开发人员的修复方法是确保WebView在您的 WebView 中不允许查看除预期之外的其他 URL。例如,假设您将 Facebook.com 嵌入到您WebView的WebView. 这在 iFrame 中最为常见……尽管本文对此进行了更深入的讨论。
Here is the example they present that insures no other URL is viewed in a WebViewother than one originally intended:
以下是他们提供的示例,该示例确保没有其他 URL 被查看,WebView而不是最初预期的:
WebViewclient wvclient = New WebViewClient() {
// override the "shouldOverrideUrlLoading" hook.
public boolean shouldOverrideUrlLoading(WebView view,String url){
if(!url.startsWith("http://www.facebook.com")){
Intent i = new Intent("android,intent.action.VIEW",
Uri.parse(url));
startActivity(i);
}
}
// override the "onPageFinished" hook.
public void onPageFinished(WebView view, String url) { ...}
}
webView.setWebViewClient(wvclient);
It's a great study, and outlines several different ways of attacks. Worth the read!
这是一项很棒的研究,并概述了几种不同的攻击方式。值得一读!
回答by Durai Amuthan.H
There is vulnerability in webview older than 4.2 when you Enable javascriptfor it.
当您为它启用 javascript时,在 4.2 之前的 webview 中存在漏洞 。
Use of enabling Javascript:
启用 Javascript 的使用:
Once JavaScript is enabled, you can create interfaces between your application code and your JavaScript code.
启用 JavaScript 后,您可以在应用程序代码和 JavaScript 代码之间创建接口。
addJavascriptInterface (Object object, String name) method:
addJavascriptInterface (Object object, String name) 方法:
The addJavascriptInterface method injects a supplied Java object into WebView.
addJavascriptInterface 方法将提供的 Java 对象注入到 WebView 中。
The object is injected into the JavaScript context of the main frame, using a supplied name and this allows the Java object's methods to be accessed from JavaScript.
该对象被注入到主框架的 JavaScript 上下文中,使用提供的名称,这允许从 JavaScript 访问 Java 对象的方法。
For applications running Android 4.1 or older, all public methods (including the inherited ones) can be accessed, so when a user's installed application with addJavascriptInterface method loads an external webpage it can use WebView and javascript to call a java object (like a ‘Javascript pipeline' and usage of reflection to invoke any other unregistered Java class) which allows attackers to call Android's Java methods.
对于运行 Android 4.1 或更早版本的应用程序,可以访问所有公共方法(包括继承的方法),因此当用户安装的带有 addJavascriptInterface 方法的应用程序加载外部网页时,它可以使用 WebView 和 javascript 调用 java 对象(如“Javascript管道”和使用反射来调用任何其他未注册的 Java 类),这允许攻击者调用 Android 的 Java 方法。
The fix:
修复:
For applications running Android 4.2 all public methods that are annotated with JavascriptInterface can be accessed from JavaScript.
对于运行 Android 4.2 的应用程序,所有使用 JavascriptInterface 注释的公共方法都可以从 JavaScript 访问。
So if you develop an application for SDK version 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available to your JavaScript.
因此,如果您为 SDK 版本 17 或更高版本开发应用程序,则必须将 @JavascriptInterface 注释添加到您希望可用于 JavaScript 的任何方法中。
If you do not provide the annotation, the method is not accessible by your web page when running on Android 4.2 or higher.
如果您不提供注释,则在 Android 4.2 或更高版本上运行时,您的网页将无法访问该方法。
回答by scottyab
I wrote this gistto help with locking down Android's Webview, similar to @Noni A's answer it only permits loading for whitelisted urls by overriding shouldOverrideUrlLoadingbut also shouldInterceptRequestwhich I believe is used by AJAX type calls.
我写了这个要点来帮助锁定 Android 的 Webview,类似于@Noni A 的回答,它只允许通过覆盖加载列入白名单的 url,shouldOverrideUrlLoading但shouldInterceptRequest我相信 AJAX 类型调用也会使用它。
