MASTG-TEST-0253: Runtime Use of Local File Access APIs in WebViews

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

This test is the dynamic counterpart to References to Local File Access in WebViews.

Steps

1. Run a dynamic analysis tool like Frida for iOS and either:
   • enumerate instances of WebView in the app and list their configuration values
   • or explicitly hook the setters of the WebView settings

Observation

The output should contain a list of WebView instances and corresponding settings.

Evaluation

Fail:

The test fails if all of the following are true:

• AllowFileAccess is true.
• AllowFileAccessFromFileURLs is true.
• AllowUniversalAccessFromFileURLs is true.

Note: AllowFileAccess being true does not represent a security vulnerability by itself, but it can be used in combination with other vulnerabilities to escalate the impact of an attack. Therefore, it is recommended to explicitly set it to false if the app does not need to access local files.

Pass:

The test passes if any of the following are true:

• AllowFileAccess is false.
• AllowFileAccessFromFileURLs is false.
• AllowUniversalAccessFromFileURLs is false.

Mitigations

• Use Up-to-Date minSdkVersion
• Securely Load File Content in a WebView
• Disable JavaScript in WebViews

Demos

MASTG-DEMO-0031: Uses of WebViews Allowing Local File Access with Frida