Android WebView security vulnerabilities can lead to a large number of applications as a hacker pipeline

Source: Internet
Author: User
Keywords Charge control
Tags android android phones app applications code control functions hacker

Absrtact: Innovation Factory's Internet fast bird revealed that the recent domestic burst of Android WebView security vulnerabilities will lead to a large number of applications as a hacker pipeline. The vulnerability endangers more than 90% of Android phones, and when users open a horse-hanging page via a leaky app, they can be

Innovation Factory's Internet fast bird revealed that the recent domestic burst of Android WebView security vulnerabilities will lead to a large number of applications as a hacker pipeline. The vulnerability threatens more than 90% of Android handsets, which can be exploited on a large scale, including remote manipulation of privacy, debit fees, and so on, when users open a horse's web page via a leaky app.

According to Jiangxiang, co-founder of the Internet Fast Bird, the flaw is based on encapsulating the WebView control in the Android SDK, which allows JavaScript to invoke Java code within the page, in conjunction with the application that uses it.

This feature brings convenience as well as significant potential risks.

Because the Java code itself can invoke many functions of the system itself, such as reading and writing files, calling, texting, and so on, after careful construction, can even root phone, install malicious programs. The system is designed to limit the amount of Java code that can be invoked, but this limitation is not tight on systems prior to 4.2, which can lead to restrictions that may be bypassed and in the form of a dummy.

For security reasons, to prevent Java-layer functions from being arbitrarily invoked, Google, after the Android 4.2 version, rules that the functions allowed to be called must be annotated with javascriptinterface, so if an application relies on an API level of 17 or more, Will not be affected by this problem (note: Applications in Android 4.2 with API level less than 17 will also be affected).

A large number of mobile developers in China have mistakenly invoked the WebView control interface, leading to a massive burst of vulnerability attacks.

Before app developers upgrade their apps, it's recommended that you use the system's own browser to access the Web page and visit the links from strangers in social applications with caution.

About Internet fast Bird:

Provide mobile internet access to save traffic, cloud real-time interception of attacks and other services.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.