MASTG-TEST-0333: Overly Broad File Read Access in WebViews
Overview¶
iOS apps can load local files into a WKWebView using loadFileURL(_:allowingReadAccessTo:).
This test checks whether the app uses loadFileURL(_:allowingReadAccessTo:) with an overly broad readAccessURL. If attacker-controlled input influences the loaded file URL and the read access scope is too broad, the WebView may gain access to sensitive files within the app container.
Steps¶
- Extract the app as described in Exploring the App Package.
- Run a static analysis tool such as radare2 (iOS) on the app binary, looking for calls to
WKWebView.loadFileURL(_:allowingReadAccessTo:).
Observation¶
The output should contain a list of locations in the binary where WKWebView.loadFileURL(_:allowingReadAccessTo:) is called.
Evaluation¶
The test case fails if any call to loadFileURL(_:allowingReadAccessTo:) is found where the readAccessURL argument grants overly broad read access, for example to the entire Documents directory or the app container root.
Inspect each reported call site using Reviewing Disassembled Objective-C and Swift Code.
- Inspect the
fileURLargument and determine whether it can be influenced by attacker-controlled input. - Inspect the
readAccessURLargument and determine whether it grants broader access than necessary. - Verify that the allowed read scope is restricted to the minimum directory required for the intended content.
The test passes if every use of loadFileURL(_:allowingReadAccessTo:) restricts readAccessURL to the minimum necessary scope and does not allow attacker-influenced file loading to reach unintended files.
Best Practices¶
MASTG-BEST-0033: Securely Load File Content in a WebView
Demos¶
MASTG-DEMO-0096: HTML Injection in a Local WebView Leading to Local File Access