Android WebView addJavascriptInterface Arbitrary Java Method Access

2014-02-11T00:00:00
ID SAINT:D74C1E9CA1CBCCAF5DAEA2F1C7DC3D4A
Type saint
Reporter SAINT Corporation
Modified 2014-02-11T00:00:00

Description

Added: 02/11/2014
CVE: CVE-2013-4710
OSVDB: 97520

Background

Android is a Linux-based operating system used primarily on touchscreen mobile devices such as smartphones and tablet computers. It was originally developed by Android Inc., but is now owned by Google. WebView is a sub-class of the Android View API which allows an application developer to load a web page as part of a client application.

Problem

The **addJavascriptInterface** method of WebView exposes a supplied Java object from within WebView to JavaScript. WebView with an API level less than 17 allows all public methods to be accessed, so that it is possible to use **addJavascriptInterface** to call any unregistered Java class and thereby execute commands remotely in the context of the running application.

Resolution

Applications developed for Android 4.2 (API level 17) and above are not vulnerable. Users who cannot upgrade their Android version should remove all applications that embed advertisements or ensure that they do not connect to untrusted networks while using applications with embedded advertisements.

References

<http://jvn.jp/en/jp/JVN53768697/>
<https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/>
<http://blogs.avg.com/mobile/analyzing-android-webview-exploit/>

Limitations

The user must run a vulnerable application which loads a specially crafted page.

Platforms

Android