In recent years, Google has made significant changes to WebViews. While the security behavior of a WebView has improved, its introduction remains a significant change to the threat model.
Abstract The (Android) WebView is an embeddable component that powers the majority of internet-enabled of apps. WebViews are popular because they are flexible – offering cross-platform code reuse. However, Webviews transport problems of the Web model into the app and then add some new problems.
In this session, we explore some WebView-related problems. First, we focus on traditional web attacks, such as connection hijacking and XSS. Next, we focus on the underlying model of web-enabled mobile apps. The bundling of local resources and web-based content rendered in the same container has a significant impact. In this security model, a Same Origin Policy bypass extends to accessing the device file-system and stealing juicy user data. Even worse, such an attack may even remotely target other applications by using the WebView as a proxy. Finally, WebViews present a security management problem that is just as important to understand: which risks do I not control?
This session is intended for app testers and developers using WebViews.
