Android WebView exploit allows installation of malicious software
Posted by: Jon Ben-Mayor on 09/17/2013 12:43 PM
[
Comments
]
A large number of Android applications have an vulnerability flaw that acts as an access point into the device - this vulnerability allows for the installation of malicious software and other evil things. The flaw, which AVG discusses in a blog post, affects WebView control applications installed on Android devices running versions older than 4.2. To be clear on this; if you are running 4.1 or older you are vulnerable and it is recommended to upgrade to 4.2 or higher.
The WebView class is an extension of Android’s View class that allows you to display web pages as a part of the appication’s screen layout. It does not include any features of a fully developed web browser, such as navigation controls or an address bar.
All that WebView does, by default, is show a web page. When developing an Android application, if the web page you plan to load in your WebView uses JavaScript, you must enable JavaScript for your WebView.
Once JavaScript is enabled, you can create interfaces between your application code and your JavaScript code.
AVG explains that users can be infected when they click on a URL link using a vulnerable application that allows opening a Java enabled browser or web page.
The device will automatically perform the malicious actions that were ordered in the malicious web page that contain those JavaScript commands.
The commands in the JavaScript code can enable attackers to install malicious software, send SMSs, steal personal information and more.
AVG offers this fix for applications running Android 4.2 - all public methods that are annotated with JavascriptInterface can be accessed from JavaScript.
So if you develop an application for SDK version 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available to your JavaScript.
If you do not provide the annotation, the method is not accessible by your web page when running on Android 4.2 or higher.
As users you should try not to download suspicious mobile applications from third party markets and avoid clicking on suspicious links coming from strangers.
The WebView class is an extension of Android’s View class that allows you to display web pages as a part of the appication’s screen layout. It does not include any features of a fully developed web browser, such as navigation controls or an address bar.All that WebView does, by default, is show a web page. When developing an Android application, if the web page you plan to load in your WebView uses JavaScript, you must enable JavaScript for your WebView.
Once JavaScript is enabled, you can create interfaces between your application code and your JavaScript code.
AVG explains that users can be infected when they click on a URL link using a vulnerable application that allows opening a Java enabled browser or web page.
The device will automatically perform the malicious actions that were ordered in the malicious web page that contain those JavaScript commands.
The commands in the JavaScript code can enable attackers to install malicious software, send SMSs, steal personal information and more.
AVG offers this fix for applications running Android 4.2 - all public methods that are annotated with JavascriptInterface can be accessed from JavaScript.So if you develop an application for SDK version 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available to your JavaScript.
If you do not provide the annotation, the method is not accessible by your web page when running on Android 4.2 or higher.
As users you should try not to download suspicious mobile applications from third party markets and avoid clicking on suspicious links coming from strangers.
Comments
