Android JavascriptInterface Security?

Question

From the documentation: http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29

\"Using a

Answer 1

For anyone checking this out in 2020, it seems like the security concern only affects Android APIs lower than 17 (Android 4.2). So, if your minSdkVersion is 17 or higher, then you should be safe.

Here are references:

• https://labs.f-secure.com/archive/webview-addjavascriptinterface-remote-code-execution/

  If the linked SDK has been built for an API lower than 17, the vulnerability exists – even if the application using the SDK has been built for API 17 or above.

• https://7asecurity.com/blog/2019/09/hacking-mandated-apps-part-5-rce-in-webview-mstg-platform-7/

  Android versions from Android 2.4 to Android 4.1 are affected by a vulnerability that allows remote code execution when JavaScript is injected in the WebView.

• https://arxiv.org/pdf/1912.12982.pdf (Page 7)

  Google later fixed this weakness on Android 4.2 and above. However, if an app sets the targetSdkVersion lower than 17 and also calls this API, the system will still render the vulnerable API behavior even when running on Android 4.2+. Such vulnerable app examples are available at https://sites.google.com/site/androidrce/.