addJavaScriptInterface Remote Code Execution.
addJavaScriptInterface Remote Code Execution.
Description
The addJavascriptInterface() method on API level JELLY_BEAN or below can be abused via reflection to execute commands remotely in the context of the running application
The addJavascriptInterface method exposes a supplied Java object from within a WebView to JavaScript. For applications compiled or linked against and API level less than 17; all public methods (including the inherited ones) can be accessed. Through the use of reflection it is also possible to invoke any other unregistered Java class.
Recommendation
This issue has been resolved in applications developed for Android 4.2 (API level 17) and above. Starting from Android 4.2 (API level 17) and above, only methods explicitly marked with the @JavascriptInterface annotation are available to JavaScript code within the WebView. The @JavascriptInterface annotation must be added to any method that is intended to be exposed via the native bridge (the method must also be public). An example is presented below:
@JavascriptInterfacepublic void method() {dostuff();}
To resolve the issue, you need to build you application for API 17 or above and redistribute it. The users would need to upgrade their applications to use the new non-vulnerable application.
Links
- DRD13. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)
- CVE-2013-4710
- MWR Labs Advisory
- Metasploit Public Exploit
Standards
- OWASP_MASVS_L1:
- MSTG_PLATFORM_7
- OWASP_MASVS_L2:
- MSTG_PLATFORM_2
- GDPR:
- ART_5
- ART_32
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_6_3
- REQ_11_3