Skip to content

MASTG-TEST-0251: Runtime Use of Content Provider Access APIs in WebViews

Overview

This test is the dynamic counterpart to References to Content Provider Access in WebViews.

In this case you can take two approaches when hooking or tracing the relevant APIs:

  • enumerate instances of WebView in the app and list their configuration values.
  • or, explicitly hook the setters of the WebView settings.

Steps

  1. Use Installing Apps to install the app.
  2. Use Method Hooking to hook the relevant API calls.
  3. Exercise the app extensively to trigger as many flows as possible and enter sensitive data wherever you can.

Observation

The output should contain a list of WebView setting calls, including the argument values and backtraces of each call.

Evaluation

The test case fails if all the following applies:

  • JavaScriptEnabled is true.
  • AllowContentAccess is true.
  • AllowUniversalAccessFromFileURLs is true.

Further Validation Required:

Using the backtraces from the hook output, inspect the code locations using Reviewing Decompiled Java Code:

  • Determine whether the settings are explicitly used and configured to the identified values.
  • Determine which WebView instance receives the configuration and whether it handles sensitive information or functionality.
  • Determine whether the WebView loads content in a context where content provider data could be accessed via content:// URLs.

For the identified WebViews, determine whether attacker-controlled JavaScript could execute in a context where it can access content providers that handle sensitive data. Also use the list of content providers obtained in References to Content Provider Access in WebViews to verify if they handle sensitive data.

Note

AllowContentAccess being true does not represent a security vulnerability by itself, but it can be used in combination with other vulnerabilities to escalate the impact of an attack.

Best Practices

MASTG-BEST-0011: Securely Load File Content in a WebView MASTG-BEST-0012: Disable JavaScript in WebViews MASTG-BEST-0013: Disable Content Provider Access in WebViews

Demos

MASTG-DEMO-0030: Uses of WebViews Allowing Content Access with Frida