WebView & CustomTabs

Many apps are not written in Java or Kotlin, but get implemented in Javascript and HTML that then gets rendered in a WebViews.

So when looking for security issues in apps, WebViews are a very important attack surface. In very old Android versions (2013), WebViews were very insecure and could even lead to arbitrary code execution. However in modern Android, this is not possible anymore.

Besides WebViews, there also exists so called Custom Tabs. This is a more modern feature

WebView

link: https://developer.android.com/develop/ui/views/layout/webapps/webview

The WebView class is an extension of Android's View class that lets you display web pages as a part of your activity layout. It doesn't include the features of a fully developed web browser, such as navigation controls or an address bar. All WebView does, by default, is show a web page.

A WebView is an actual UI component that can be added into the layout .xml of the app. e.g. It is same as you adding a button in UI.

The WebView element can then be referenced in the application code to load a URL in it.

protected void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
            EdgeToEdge.enable(this);
            setContentView(R.layout.activity_main);

            WebView webView = findViewById(R.id.webview);
            webView.loadUrl("https://www.hextree.io");

            ((Button) findViewById(R.id.button_1)).setOnClickListener(new View.OnClickListener() {
                @Override
                public void onClick(View v) {

                }
            });
        }
    }

and an embedded browser will load your url but remember you won't have features like searchbar like traditional browser.

Webview in browser

navigating to chrome://inspect/#devices in your host machine browser. You get webview debugging interface.

Sometimes it is enabled in production also deliberately which might become a issue, using this function

where in app assets directory we have index.html and other js files which make up the app.

While WebView often serves content from the internet, it can also load local HTML and JavaScript files from within the app itself. This is useful for offline functionality or even when the app is entirely implemented in HTML and Javascript.

Android applications can include an /assets/ folder in their project structure. This folder is bundled into the final APK and is accessible at runtime. And WebView has a built in feature to load these files via file:///android_asset/ (or file:///android_res/):

Note that file:///android_asset/ is considered outdated and Android officially recommends to use an AssetLoader instead.

Because asset files are bundled in the APK publicly distributed in the Play Store, they are considered public. That's why WebViews can load them even when file access is generally not enabled. To be able to load other app internal files, the WebView WebSettings have to be changed:

Some settings like setAllowUniversalAccessFromFileURLs are very dangerous, but might still be required by some apps. We will look deeper into those settings as well.

JavaScriptInterface

WebViews in Android can allow JavaScript running in the WebView to call native Java methods. This is especially useful if the app logic is primarily implemented in HTML/Javascript and wants to access native Android features.

If an attacker can control the document loaded into a WebView, these exposed Java methods could lead to security issues.

e.g.

in this activity you can see onload a webview is loaded with URL file:///android_asset/flag38.html whose content is

Now in java code you should notice

  1. JS is enabled in webview.

  2. Most important thing, in webview we are adding a javascript<->java bridge of class JsObject with name hextree

  3. which allows js in webview to call methods of class JsObject with name hextree. As you have seen in html e.g. hextree.success.

  4. Not every function from Jsobject class is exposed this way, only annotated with @JavascriptInterfaceare exposed to webview JS.

solution,

as you can see if an intent is provided with URL then that URL is loaded in webview. which means which can call success() function with folllowing html file.

and poc app

THis URL: https://oak.hackstree.io/android/webview/pwn.html can become helpful in analyzing webview headers, function exposed etc. when loaded by webview in an app.

other way to solve using data URI

data:text/html,<script>alert(1)</script>

data:text/html,<script>hextree.success(true)</script>

example 2

and html file

in this user controlled data is used to set window.hello_name.innerHTMLwhich can be dangerous.

solution

using html injection and xss we can call exposed fucntion success.

....

Custom Tabs

Custom Tabs are a different way to display web content within an app. Unlike WebViews, Custom Tabs are actually not a UI element. Instead, they rely on the browser installed on the device to provide the interface and functionality.

Read more about it here: https://web.dev/articles/web-on-android#custom_tabs_as_a_solution_for_in-app_browsers.

e.g. this opens hextree on button click

webview vs customtab

  • WebView is an actual embedded browser within your app. It is isolated from other apps, meaning a user logged into a website in their primary browser will not be logged in via the WebView.

  • Custom Tabs simply interacts with the default browser on the device (e.g., Chrome). It shares session data, cookies, and accounts with the browser, meaning users are already logged into websites they’ve accessed in the browser.

“Custom Tabs is effectively a tab rendered by the user's browser”

In terms of security, Custom Tabs do not have access to your app internal files or FileProviders and cannot change the Same Origin Policy behaviour.

Due to these benefits, Google generally recommends developers to use Custom Tabs: https://support.google.com/faqs/answer/12284343?hl=en-GB

See also:

There is no JS-java function bridge in customtab unlike webview

PreviousContent and FileProviderNextInsecure Storage

Last updated