Vulnerability principle:
The behavior of the WebView object is set through the WebSettings class, and if configured improperly, an attacker could exploit the vulnerability to break the Android sandbox isolation mechanism, which could be used to attack other applications through an application, to steal locally saved profiles, sensitive information, and so on for other applications.
The main use of the Android.webkit.WebSettings class Setallowfileaccess (), setjavascriptenabled (), Setallowfileaccessfromfileurls (), Setallowuniversalaccessfromfileurls () Four methods are improperly configured (allow WebView to use the file protocol and allow JavaScript) and are exploited in conjunction with the activity Component exposure vulnerability.
<Strong>Setallowfileaccess ()</Strong>//Enable or disable file access in WebView, default is Truewebview.getsettings (). Setallowfileaccess (true);<Strong>Setjavascriptenabled ()</Strong>//Set WebView whether to enable JavaScript execution, default is False, set to True to enable JavaScript execution. Webview.getwebsettings (). Setjavascriptenabled (True); <Strong>Setallowfileaccessfromfileurls ()</Strong>//sets whether to allow JS code in files loaded via the file URL to read other local files. It is important to note that if the value of Getallowuniversalaccessfromfileurls () is true, the value of this setting is ignored. To enable the most restrictive security policy, you should disable this setting: Webview.getsettings (). Setallowfileaccessfromfileurls (false);//API Level 15 and below, default is true// API level Jelly_bean (API level 16,android4.1 version code, Chinese translation Jelly Bean) and above default is False<Strong>Setallowuniversalaccessfromfileurls ()</Strong>//sets whether Javascript allowed to be loaded via the file URL can access other sources (including HTTP, HTTPS, and other sources) webview.getsettings (). Setallowuniversalaccessfromfileurls (TRUE);//API Level 15 and below, default is true//API level Jelly_bean (API level 16, android4.1 version code, Chinese translation Jelly Bean) and above default is False
View Code
WebView cross-domain access risk