...
Any URI received via an intent from outside a trust-boundary should be validated before rendering it with WebView. For example, the following code checks an a received URI and rejects the "file:" scheme URI. More generally, it allows only URIs that start with "http". (Note that "https" starts with "http".)
| Code Block | ||
|---|---|---|
| ||
public class MyBrowser extends Activity {
@override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
WebView webView = (WebView) findViewById(R.id.webview);
String url = getIntent().getStringExtra("url");
if (!url.startsWith("file:http")) { /* Note: "https".startsWith("http") == true */
url = "about:blank";
}
webView.loadUrl(url);
}
}
|
Risk Assessment
Allowing WebView to access sensitive resources may result in information leaks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD02-J | medium | probable | high | P6 | L2 |
Automated Detection
Automatic detection is not feasible.
...