Android WebView addJavascriptInterface Arbitrary Java Method Access

Added: 02/11/2014
CVE: CVE-2013-4710
OSVDB: 97520

Background

Android is a Linux-based operating system used primarily on touchscreen mobile devices such as smartphones and tablet computers. It was originally developed by Android Inc., but is now owned by Google. WebView is a sub-class of the Android View API which allows an application developer to load a web page as part of a client application.

Problem

The addJavascriptInterface method of WebView exposes a supplied Java object from within WebView to JavaScript. WebView with an API level less than 17 allows all public methods to be accessed, so that it is possible to use addJavascriptInterface to call any unregistered Java class and thereby execute commands remotely in the context of the running application.

Resolution

Applications developed for Android 4.2 (API level 17) and above are not vulnerable. Users who cannot upgrade their Android version should remove all applications that embed advertisements or ensure that they do not connect to untrusted networks while using applications with embedded advertisements.

References

http://jvn.jp/en/jp/JVN53768697/
https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
http://blogs.avg.com/mobile/analyzing-android-webview-exploit/

Limitations

The user must run a vulnerable application which loads a specially crafted page.

Platforms

Android

Back to exploit index