Security Techniques

WebView addJavascriptInterface Remote Code Execution

WebView addJavascriptInterface Remote Code Execution: Many free mobile applications use a WebView to load HTML content as an in process web browser to facilitate advertisement loading from remote advertiser networks. These advertisements are loaded over a clear text channel (HTTP) and are susceptible to Man in the Middle (MitM) attacks. An attacker able to MitM the communications with the advertising network can inject arbitrary Java Script into the WebView. If the WebView provides access to native functionality via JavaScript bridge utilising the ‘addJavascriptInterface’ method, then the WebView Java Script bridge can then be abused to execute arbitrary Java code. This is achieved by using reflection to acquire a reference to a runtime object via the interface implemented.