MASTG-BEST-0012: Disable JavaScript in WebViews
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
If JavaScript is not required, explicitly disable it in WebViews by setting setJavaScriptEnabled(false).
Enabling JavaScript in WebViews increases the attack surface and can expose your app to severe security risks, including:
- Cross-Site Scripting (XSS): Malicious JavaScript can execute within the WebView, leading to session hijacking, credential theft, or defacement.
- Data Exfiltration: WebViews can access sensitive data such as cookies, tokens, or local files (e.g., via
file://orcontent://URIs whensetAllowFileAccess(true),setAllowFileAccessFromFileURLs(true), orsetAllowContentAccess(true)are enabled) which can be exfiltrated by malicious scripts ifsetAllowUniversalAccessFromFileURLs(true)is set. - Unauthorized Device Access: JavaScript can be used in conjunction with
addJavascriptInterfaceto exploit exposed native Android interfaces, leading to remote code execution (RCE).
Sometimes this is not possible due to app requirements. In those cases, ensure that you have implemented proper input validation, output encoding, and other security measures.
Note: sometimes you may want to use alternatives to regular WebViews, such as Trusted Web Activities or Custom Tabs, which provide a more secure way to display web content in your app. In those cases, JavaScript is handled within the browser environment, which benefits from the latest security updates, sandboxing, and mitigations against common web vulnerabilities such as Cross-Site Scripting (XSS) and Machine-in-the-Middle (MITM) attacks.
Tests¶
MASTG-TEST-0x33: References to Local File Access in WebViews MASTG-TEST-0250: References to Content Provider Access in WebViews MASTG-TEST-0251: Runtime Use of Content Provider Access APIs in WebViews MASTG-TEST-0253: Runtime Use of Local File Access APIs in WebViews