Google Play警告:您的应用包含跨应用脚本漏洞 [英] Google Play warning: Your app contains a Cross-App Scripting Vulnerability

问题描述

大家好，

我从Google Play收到了一封电子邮件，内容涉及我发布的一个或多个应用程序中的跨应用程序脚本漏洞.我在应用程序中使用 WebView ，因此他们说我的应用程序包含webView跨应用程序脚本问题，该问题可能使恶意应用程序窃取用户Cookie和其他数据.他们会采取我要采取的行动，那就是

I got a email from google play regarding Cross-App Scripting Vulnerability in one or more my published apps. I am using WebView in my apps, so they says my app contains webView Cross-App Scripting issue which can allow malicious apps to steal user cookies and other data. And They give what action I am going to take, that is

需要采取的行动

请按照以下步骤解决您的应用程序的问题(在此电子邮件的末尾列出).您可以参考Play控制台中的通知，以获取解决此问题的截止日期.在此期限之后，如果漏洞仍然存在，将阻止对受影响的应用程序进行更新.您发布的APK版本不会受到影响. 其他详细信息

Please follow the steps below to fix the issue with your apps (listed at the end of this email). You can refer to the notice in your Play Console for the deadline to fix this problem. After this deadline, updates to affected apps will be blocked if the vulnerability is still present. Your published APK version will remain unaffected. Additional details

启用JavaScript并加载从不受信任的Intent读取的数据的WebView可能会被恶意应用欺骗，以在不安全的上下文中执行JavaScript代码.您应该通过以下其中一种方式来防止此漏洞:

WebViews that enable JavaScript and load data read from untrusted Intents can be tricked by malicious apps into executing JavaScript code in an unsafe context. You should prevent this vulnerability in one of the following ways:

选项1:确保不导出受影响的活动

Option 1: Ensure that affected activities are not exported

使用受影响的WebView查找任何活动.如果这些活动不需要从其他应用程序获取意图，则可以在清单中为活动设置android:exported = false.这样可以确保恶意应用程序不会向这些活动中的任何WebView发送有害输入.

Find any Activities with affected WebViews. If these Activities do not need to take Intents from other apps you can set android:exported=false for the Activities in your Manifest. This ensures that malicious apps cannot send harmful inputs to any WebViews in these Activities.

选项2:在导出的活动中保护WebViews

Option 2: Protect WebViews in exported activities

如果要设置一个活动，并且将受影响的WebView导出，则我们建议您进行以下更改:

If you want to set an Activity with an affected WebView as exported then we recommend that you make the following changes:

更新您的targetSdkVersion

Update your targetSdkVersion

确保您的targetSdkVersion符合Google Play的目标API级别要求. targetSdkVersion为16或更低的应用会评估在当前加载的页面上下文中传递给loadUrl的JavaScript URL.以SDK版本16或更低版本为目标，并使用来自不受信任的Intent的未经消毒的输入来调用loadUrl，攻击者可以在受影响的WebView中执行有害的脚本.

Ensure that your targetSdkVersion meets Google Play's target API level requirement. Apps with a targetSdkVersion of 16 or lower evaluate JavaScript URLs passed to loadUrl in the currently loaded page context. Targeting SDK version 16 or lower and calling loadUrl using unsanitized input from untrusted Intents lets attackers execute harmful scripts in the affected WebView.

保护对评估JavaScript的调用

Protect calls to evaluateJavascript

确保评估Javascript的参数始终受信任.使用来自不受信任的Intent的未经消毒的输入来调用valuateJavascript，攻击者可以在受影响的WebView中执行有害的脚本.

Ensure that parameters to evaluateJavascript are always trusted. Calling evaluateJavascript using unsanitized input from untrusted Intents lets attackers execute harmful scripts in the affected WebView.

防止不安全的文件加载

确保受影响的WebView无法加载cookie数据库.恶意应用可以通过以下方式来攻击从不受信任的Intent中加载未经消毒的file://URL的WebView.恶意网页可以将脚本标签写入cookie数据库，然后恶意应用程序可以发送一个具有file://URL的Intent，该URL指向您的WebView Cookies数据库.如果将cookie数据库加载到WebView中，该恶意脚本将执行，并且可以窃取会话信息.

Ensure that affected WebViews cannot load the cookie database. WebViews that load unsanitized file:// URLs from untrusted Intents can be attacked by malicious apps in the following way. A malicious web page can write script tags into the cookies database and then a malicious app can send an Intent with a file:// URL pointing to your WebView cookies database. The malicious script will execute if the cookies database is loaded in a WebView and can steal session information.

您可以确保受影响的WebView无法以两种方式加载WebView Cookies数据库.您可以禁用所有文件访问权限，也可以验证所有已加载的file://URL都指向安全文件.请注意，攻击者可以使用符号链接来诱骗对URL路径的检查.为防止此类攻击，请确保在加载之前检查任何不受信任的file://URL的规范路径，而不仅仅是检查URL路径.

You can ensure that affected WebViews cannot load the WebView cookies database in two ways. You can either disable all file access or you can verify that any loaded file:// URLs point to safe files. Note that an attacker can use a symbolic link to trick checks on the URL path. To prevent such an attack, be sure to check the canonical path of any untrusted file:// URL before loading instead of just checking the URL path.

所以我的问题是

1. 如果我进行了电子邮件中提到的更改，这将如何影响我的应用?

我的应用程序的任何功能都将被禁用吗?

推荐答案

转到android Manifest，如果网络活动具有android:exported=true，请将其更改为android:exported=false

Go to the android Manifest, and if the web activity has the android:exported="true", Change it to android:exported="false"

转到清单，然后在Webview活动中添加以下行

Go to the manifest, and add the following lines in the Webview activity

<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />

这篇关于Google Play警告:您的应用包含跨应用脚本漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！