The Tangled Webview ----- Javascriptinterface Once More

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 1:30 p.m. (30 minutes)

WebView is a widely used Android component and with the method addJavascriptInterface, native applications can interact with web pages. This is a powerful feature, but also presents some security risks like CVE-2012-6336 and "App Clone Attack". Now it comes again.<br><br>We have discovered a novel class of Android WebView vulnerabilities associated with JavascriptInterface, which can bypass ALL verifications.<br><br>During this talk, we will disclose a NEW attack model for the first time. It attacks WebView from a deeper level and can bypass all kinds of validations and restriction technologies to invoke JavascriptInterface from any untrusted page. These vulnerabilities could lead to sensitive information leakage, identity theft, remote code execution and other severe consequences. We will present three vulnerability models, any one of them can lead to an attack. We will also dive into the WebView architecture and demonstrate the root cause of it. To help you find this vulnerability, we developed a novel tool that can vet Android apps automatically.<br><br>Many high-profile apps are verified to be impacted, which affects more than 60% of Android devices and at least 2 billion endpoint users. Moreover, this kind of vulnerability can also be extended to other platforms such as IOS or Electron.<br><br>Finally, towards solving these issues permanently, we propose a practical mitigation measure called "RichInterface". It has been applied in our custom WebView. Our evaluation of real-world apps shows the mitigation solution is effective and scalable, with negligible overhead.<br><br>We hope to protect users from the potential security risks while enjoying the convenience of WebView and JavascriptInterface. We also hope to make the security community aware of this emerging new attack method.<br>

Presenters:

• Ce Qin - Security Researcher, &nbsp;
  Ce Qin "Hearmen" is a security researcher In Octopus Security Team. Ce spoke at AsiaSecWest 2018, Defcon 2019 and HSCV 2020.

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#the-tangled-webview-------javascriptinterface-once-more-21831

Similar Presentations:

• VB2017 / Last-minute paper: Webview is far more than a 'view'
• Still Hacking Anyway (SHA2017) / Parkour communications: How you can communicate, free running style, using nothing but the 'fixtures' of the Internet.
• Black Hat Asia 2021 Virtual / A New Era of One-Click Attacks: How to Break Install-Less Apps