Call to dangerous WebView settings API

Call to dangerous WebView settings API

Risk: high

Description

List of all WebView methods used in the application.

Recommendation

To Mitigate Dangerous WebView API Usage:

Primary Defense – Disable Mixed Content:

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
    webView.getSettings().setMixedContentMode(WebSettings.MIXED_CONTENT_NEVER_ALLOW);
}

- Prevents HTTPS pages from loading insecure HTTP resources - Stops man-in-the-middle attacks via injected scripts

Restrict File Access:

webView.getSettings().setAllowFileAccess(false);
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN) {
    webView.getSettings().setAllowFileAccessFromFileURLs(false);
    webView.getSettings().setAllowUniversalAccessFromFileURLs(false);
}

- Blocks file:// scheme exploitation - Prevents local file and database leakage

Harden JavaScript Interface:

webView.removeJavascriptInterface("interfaceName"); // Remove if not needed
// If required, only expose minimal @JavascriptInterface methods

- Avoids remote code execution via addJavascriptInterface() - Use WebMessagePort or allowlist trusted origins if JS bridge is required

Additional Protections:

• Disable WebView debugging in production:

  WebView.setWebContentsDebuggingEnabled(false);
  

• Enable Safe Browsing (API 26+):

WebView.enableSafeBrowsing(context);

By disabling mixed content, restricting file access, and securing JavaScript bridges, you eliminate the primary attack vectors associated with dangerous WebView APIs while keeping the app’s WebView functionality secure.

Links

• DRD02-J. Do not allow WebView to access sensitive local resource through file scheme (CERT Secure Coding)
• DRD13. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content (CERT Secure Coding)

Standards

• OWASP_MASVS_L1:
  • MSTG_PLATFORM_6
  • MSTG_PLATFORM_5
• OWASP_MASVS_L2:
  • MSTG_PLATFORM_6
  • MSTG_PLATFORM_5
• OWASP_MASVS_v2_1:
  • MASVS_PLATFORM_2
  • MASVS_PLATFORM_3