SecAppDev 2019 has ended
Back To Schedule
Tuesday, February 19 • 09:00 - 10:30
Using Android Webviews - moving web risks into the app

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

In recent years, Google has made significant changes to WebViews. While the security behavior of a WebView has improved, its introduction remains a significant change to the threat model.

The (Android) WebView is an embeddable component that powers the majority of internet-enabled of apps. WebViews are popular because they are flexible – offering cross-platform code reuse. However, Webviews transport problems of the Web model into the app and then add some new problems.

In this session, we explore some WebView-related problems. First, we focus on traditional web attacks, such as connection hijacking and XSS. Next, we focus on the underlying model of web-enabled mobile apps. The bundling of local resources and web-based content rendered in the same container has a significant impact. In this security model, a Same Origin Policy bypass extends to accessing the device file-system and stealing juicy user data. Even worse, such an attack may even remotely target other applications by using the WebView as a proxy. Finally, WebViews present a security management problem that is just as important to understand: which risks do I not control?

This session is intended for app testers and developers using WebViews.


Andrew Lee-Thorp

Principal consultant, Synopsys SIG

Tuesday February 19, 2019 09:00 - 10:30 CET
Main building (room Lemaire)