To create and use a WebView, an app must create an instance of the
WebView webview = new WebView(this); setContentView(webview); webview.loadUrl("https://www.owasp.org/");
- The user cannot define which sources to load by means of loading different resources based on a user provided input.
clearCache when the app closes.
Devices running platforms older than Android 4.4 (API level 19) use a version of WebKit that has several security issues. As a workaround, the app must confirm that WebView objects display only trusted content if the app runs on these devices.
- Stored Cross-Site Scripting vulnerabilities in an endpoint; the exploit will be sent to the mobile app's WebView when the user navigates to the vulnerable function.
- Malware tampering with local files that are loaded by the WebView.
To address these attack vectors, check the following:
- All functions offered by the endpoint should be free of stored XSS.
Only files that are in the app data directory should be rendered in a WebView (see test case "Testing for Local File Inclusion in WebViews").
The HTTPS communication must be implemented according to best practices to avoid MITM attacks. This means:
- all communication is encrypted via TLS,
- the certificate is checked properly, and/or
- the certificate should be pinned.