When it comes to vulnerabilities in WebViews, we often overlook the incorrect implementation of
WebResourceResponse
which is a WebView class that allows an Android app to emulate the server by returning a response (including a status code, content type, content encoding, headers and the response body) from the app’s code itself without making any actual requests to the server. At the end of the article, we’ll show how we exploited a vulnerability related to this in Amazon apps.
Do you want to check your mobile apps for such types of vulnerabilities? Oversecured mobile apps scanner provides an automatic solution that helps to detect vulnerabilities in Android and iOS mobile apps. You can integrate Oversecured into your development process and check every new line of your code to ensure your users are always protected.
The WebView class in Android is used for displaying web content within an app, and provides extensive capabilities for manipulating requests and responses. It is a fancy web browser that allows developers, among other things, to bypass standard browser security. Any misuse of these features by a malicious actor can lead to vulnerabilities in mobile apps.
One of these features is that a WebView allows you to intercept app requests and return arbitrary content, which is implemented via the
WebResourceResponse
class.
Let’s look at a typical example of a
WebResourceResponse
implementation:
As you can see in the code above, if the request URI matches a given pattern, then the response is returned from the app resources or local files. The problem arises when an attacker can manipulate the path of the returned file and, through XHR requests, gain access to arbitrary files.
Therefore, if an attacker discovers a simple XSS or the ability to open arbitrary links inside the Android app, they can use that to leak sensitive user data – which can also include the access token, leading to a full account takeover.
If you already have the ability to execute arbitrary JavaScript code inside a vulnerable WebView, and assuming there is some sensitive data in /data/data/com.victim/shared_prefs/auth.xml, then the Proof of Concept for the attack will look like this:
It should be noted that the attack works because new File(getCacheDir(), uri.getLastPathSegment()) is being used to generate the path and the method Uri.getLastPathSegment() returns a decoded value.
However, policies like CORS still work inside a WebView. Therefore, if Access-Control-Allow-Origin: * is not specified in the headers, then requests to the current domain will not be allowed. In our example, this restriction will not affect the exploitation of path traversal, because any.domain can be replaced with the current scheme + host + port.
We scanned the Amazon Shopping and Amazon India Online Shopping apps and found two vulnerabilities. They were chained to access arbitrary files owned by Amazon apps and then reported to the Amazon VRP on December 21st, 2019. The issues were confirmed fixed by Amazon on April 6th, 2020.
The first was opening arbitrary URLs within the WebView through the com.amazon.mShop.pushnotification.WebNotificationsSettingsActivity activity:
– and the second was stealing arbitrary files via WebResourceResponse in the com/amazon/mobile/mash/MASHWebViewClient.java file:
Two checks take place in the com/amazon/mobile/mash/handlers/LocalAssetHandler.java file:
publicWebResourceResponsehandlePackage(UrlWebviewPackagepkg){InputStreamstm;Uriuri=Uri.parse(pkg.getUrl());Stringpath=uri.getPath().substring(1);try{if(path.startsWith("assets/")){stm=pkg.getWebView().getContext().getResources().getAssets().open(path.substring("assets/".length()));}elseif(path.startsWith("files/")){stm=newFileInputStream(path.substring("files/".length()));// path to an arbitrary file}else{MASHLog.m2345v(TAG,"Unexpected path "+path);stm=null;//...Map<String,String>headers=newHashMap<>();headers.put("Cache-Control","max-age=31556926");headers.put("Access-Control-Allow-Origin","*");returnnewWebResourceResponse(mimeType,null,200,"OK",headers,stm);}catch(IOExceptione){MASHLog.m2346v(TAG,"Failed to load resource "+uri,e);returnnull;
The apps also had a host check that was bypassed by us. This check could also be bypassed using the javascript: scheme which removed any requirements to have SD card permissions for making a file.
While implementing WebResourceResponse, it is recommended to use WebViewAssetLoader, which is a user-friendly interface. It allows the app to safely process data from resources, assets or a predefined directory.
Thank you for reaching out
An email with the requested files will be sent to the email address you provided shortly.
Protect your apps today!
It can be challenging to keep track of security issues that appear daily during the app development process.
Drop us a line and we'll help you automate this process internally, saving tons of resources with Oversecured.
This website uses cookies to improve your experience. See our Privacy Policy to learn
more.
