Attacks on android webviews
In this series of articles so far, we have discussed various techniques to identify and exploit vulnerabilities in Android applications. In the previous article, we have seen how to exploit debuggable Android applications. In this article, let's discuss the vulnerabilities associated with Android WebViews.
11 courses, 8+ hours of training
Topics covered
- Introduction to Android WebViews
- Implementing WebViews in Android apps
- Security issues
- Exploiting Android WebView vulnerabilities using Metasploit
- Using QR Code attacks
Let's begin.
Introduction to WebViews
When developing an Android app, we can load a remote URL or display HTML pages stored in our application within an activity using WebView. Internally it uses WebKit rendering engine to display web pages. It supports methods to navigate forward and backward, text searches, etc. It has some nice features such as support for the usage of JavaScript.
Implementing WebViews in android apps
Implementing WebViews in Android applications is pretty simple. Initially, we will have to set up all the required Android project setup like any other Android application project. Then, we will have to create an object for WebView Class to use its functionality. Here is a sample code snippet of how we can do this.
In order to load an Internet website:
WebView webview = (WebView) findViewById(R.id.mywebview);
webview.loadUrl("http://website.com");
Since we are accessing an Internet application, we need to have Internet access in order for this to work. So, we need to request for INTERNET by placing the following line in the AndroidManifest.xml file:
<uses-permission android_name="android.permission.INTERNET" />
In order to load a file from the file system:
WebView webview = (WebView) findViewById(R.id.mywebview);
webwiew.loadUrl("file:///android_asset/www/file.html");
Security issues
As mentioned in the beginning, WebView supports usage of JavaScript. If the application being loaded into WebView requires JavaScript support, it can be enabled by using the following line.
WebView webview = (WebView) findViewById(R.id.mywebview);
WebSettings webSettings = myWebView.getSettings();
webSettings.setJavaScriptEnabled(true);
Another powerful feature in WebView is exposing a Java object's methods to be accessed from JavaScript.
This is one of the important features which requires a keen eye when implementing, as it can be exploited by passing malicious JavaScript to the application's interface. Below is a sample code snippet by @jduck on how it can be implemented and exploited.
https://github.com/jduck/VulnWebView/
Exploiting android WebView vulnerabilities using Metasploit
In this section, we will see how to exploit a recent vulnerability which affected most of the Android devices. This attack works on all the devices running on Android version 4.2 (JellyBean) and earlier.
- Launch your Metasploit by typing "msfconsole" in a new terminal.
- Type "search android" to see all the exploits associated with Android. You should see the screen below (make sure you have updated your Metasploit to see the screen).
We are going to use the exploit highlighted in the above figure, which uses vulnerable WebView components. You can get other information about this exploit by using the "info" command.
- To load the exploit, we can use the command "use <exploit>" as shown below.
- Now, we can see the options to be set by giving the "show options" command.
- IP address and Port to start a reverse handler can be set manually; otherwise it automatically takes the default values.
In our case, we are leaving the default values and setting the URI PATH as shown below.
- Once after setting up everything, execute the "exploit" as a command to start a reverse handler.
As we can see in the above figure, a reverse handler has been started at http://192.168.1.104/srini0x00. We can directly share this URL with the victim. Once he opens it, it will open up a shell on the device as shown in the figure below.
Using QR code attacks
To make this attack even more convincing, we can embed the above URL into a QRCode image. If a victim scans it using a QR code scanner, the URL will automatically pop up and will be opened in a browser.
This can be achieved using Social Engineering Toolkit.
Steps:
- Open up your Social Engineering Toolkit in Kali Linux by following the path given below.
KaliLinux -> Exploitation Tools -> Social Engineering ToolKit -> se-toolkit
- Select Social Engineering Attacks followed by QRCode Generator Attack Vector as shown in the figure below.
- Now, we have to enter the URL to be embedded into the QRCode image as shown in the figure below. In our case, this is http://192.168.1.104/srini0x00
As we can see in the above figure, a QRCode has been generated.
If you go to the location where it is saved, it looks as shown in the figure below.
- If a victim scans this QRCode with QRCode scanner app from his Android device, it will open it up in a browser and a remote session will be opened in Metasploit.
QRCode opening the URL in a browser
Session Opened in Metasploit
- Let's have a look at all the active sessions.
- Now, let's start interacting with the session appeared in the previous step. This is shown in the following figure.
- I have set my path to system/bin and am now executing the command "cat /proc/cpuinfo" to see the CPU information on the device.
Conclusion
In this article, we have discussed attacks associated with WebViews. We can use Drozer for finding and exploiting these vulnerabilities in Android apps. I have provided a link as a reference if you are interested to use Drozer for this.
11 courses, 8+ hours of training