

Analyzing an Android WebView exploit - nozepas
http://blogs.avg.com/mobile/analyzing-android-webview-exploit/

======
girvo
Damn I was hoping this bypassed permissions. It can still be dangerous;
picture the Facebook app's permission structure, it uses a WebView (or used to
anyway, I haven't used Android in a while now). An attacker could send a link
that does something useful, or inject JavaScript into a legit page that when
viewed in FB's app (coupled with an FB status worm, anyone?) sends messages to
premium SMS numbers... the attacker could rack up quite a bit of money.

This is dangerous due to applications habit of requesting a _lot_ of
permissions, often for use cases that don't need that huge API in particular.
The problem is, designing a more fine grained permissions structure that is
tractable in terms of UI is a hard problem. This also points out one of the
issues of androids lack of vendor supplied updates for anything less than a
flagship phone :(

Does anyone know if WebView has been decoupled from the base OS in later
versions? I know it has been hooked into Chrome now, right, so does that API
get updated with Chrome itself?

~~~
keeperofdakeys
The changes to the WebView are purely about the rendering engine (and possibly
javascript engine). The API itself hasn't changed, as any old app will use the
new WebView as well.

The actual rendering engine change is from a generic WebKit to that of Blink,
used in Chromium. Chrome the application is then a rebranded Chromium, which
compared to the WebView, has a lot of its own code separate from the WebView.

------
dz0ny
I think this is a bit misleading article. First in order to application to
send SMS message or any other privileged action, it must declare that at
install time (in manifest file). Second in order to send SMS and expose
function to JS runtime, function must be of subclass of JavaScriptInterface
class (pre JB), or you can use annotation if you are targeting JB+ devices.

This means function must be exposed and written before you can actuality use
exploit. Bottom line you can't just send SMS from WebView just by "accident"
:) And properly written applications should not expose that function in first
place.

PhoneGap seem likely target for this exploit. Facebook, Instagram ... and many
others not.

~~~
trurl42
That is wrong.

Pre JB you can run any function by using reflection, as is demonstrated in the
example.

anyjavaobject.getClass().forName("android.telephony.SmsManager").. etc.

