使用 Webview/javascript 的 Android 应用程序.什么是安全问题? [英] Android App using Webview/javascript. what can be security concern?

问题描述

我正在使用 Webview 和 Javascript 创建一个 android 网络应用程序，使 addJavascriptInterface(true).

I am creating an android web app using Webview and Javascript making addJavascriptInterface(true).

我的应用程序将包含将从外部站点加载的数据(html).

My App will content data(html) that will be loaded from an external site.

我在启用 addJavascriptInterface(true) 时担心我的应用的跨站点脚本 XSS/安全.

I worried about the cross-site-scripting XSS/security of my app as I am enabling addJavascriptInterface(true).

我应该注意哪些事项以免恶意代码在我的应用上运行?

What are the things I should be taking care so that any malicious code should not run on my app ?

推荐答案

我在雪城大学找到了一个很好的研究，叫做 Android 系统中对 WebView 的攻击，说明了如何使用带有 addJavascriptInterface(true) 的 WebView 可以实现两种攻击.一，恶意网站现在可以通过您分配给界面的电话服务(例如联系人，相机等)访问您的应用程序或两个，恶意应用程序可以访问易受攻击的网站，方法是将代码插入到它的 Javascript.

I found a good study from Syracuse University called Attacks on WebView in the Android System, which illustrates how using a WebView with addJavascriptInterface(true) can enable two kinds of attacks. One, from a malicious website that will now have access to your app via the phone services you assign to the interface (e.g. Contacts, Camera, etc.) or two, a malicious app can have access to a vulnerable website, by inserting code into its Javascript.

对于应用程序开发人员来说，基本上修复是确保在 WebView 中，不允许在您的 WebView 中查看除预期之外的其他 URL.例如，假设您将 Facebook.com 嵌入到您的 WebView 中，您可以编写代码以确保如果点击 Facebook 中的任何其他广告，外部浏览器将打开而不是显示在您的 中网页视图.这在 iFrame 中最为常见……尽管本文对此进行了更深入的讨论.

Basically the fix for app developers is to insure that in WebView, no other URL other than that intended is allowed to be viewed in your WebView. For example, say you embed Facebook.com into your WebView, you can write code to insure that if any other advertisement in Facebook is clicked, that the external browser will open instead of displaying in your WebView. This is most common through iFrames... although the article goes more into depth about that.

以下是他们提供的示例，该示例确保在 WebView 中不会查看除最初预期的 URL 之外的其他 URL:

Here is the example they present that insures no other URL is viewed in a WebView other than one originally intended:

WebViewclient wvclient = New WebViewClient() {
  // override the "shouldOverrideUrlLoading" hook.
  public boolean shouldOverrideUrlLoading(WebView view,String url){
    if(!url.startsWith("http://www.facebook.com")){
    Intent i = new Intent("android,intent.action.VIEW",
    Uri.parse(url));
    startActivity(i);
  }
}
// override the "onPageFinished" hook.
public void onPageFinished(WebView view, String url) { ...}
}
webView.setWebViewClient(wvclient);

这是一项很棒的研究，并概述了几种不同的攻击方式.值得一读！

It's a great study, and outlines several different ways of attacks. Worth the read!

这篇关于使用 Webview/javascript 的 Android 应用程序.什么是安全问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！