MASTG-TEST-0251: Runtime Use of Content Provider Access APIs in WebViews

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

This test is the dynamic counterpart to References to Content Provider Access in WebViews.

Steps

1. Run a dynamic analysis tool like Frida for iOS and either:
   • enumerate instances of WebView in the app and list their configuration values
   • or explicitly hook the setters of the WebView settings

Observation

The output should contain a list of WebView instances and corresponding settings.

Evaluation

Fail:

The test fails if all of the following are true:

• JavaScriptEnabled is true.
• AllowContentAccess is true.
• AllowUniversalAccessFromFileURLs is true.

You should use the list of content providers obtained in References to Content Provider Access in WebViews to verify if they handle sensitive data.

Note: AllowContentAccess being true does not represent a security vulnerability by itself, but it can be used in combination with other vulnerabilities to escalate the impact of an attack. Therefore, it is recommended to explicitly set it to false if the app does not need to access content providers.

Pass:

The test passes if any of the following are true:

• JavaScriptEnabled is false.
• AllowContentAccess is false.
• AllowUniversalAccessFromFileURLs is false.

Mitigations

• Securely Load File Content in a WebView
• Disable JavaScript in WebViews
• Disable Content Provider Access in WebViews

Demos

MASTG-DEMO-0030: Uses of WebViews Allowing Content Access with Frida