com.insecureshop.WebViewActivity
, com.insecureshop.WebView2Activity
and com.insecureshop.PrivateActivity
have the following insecure WebView properties enabled:setAllowUniversalFileAccessFromFileURLs
allows any documents opened with the file://
scheme to access the content of any local documents and also of any other document or property accessible using other schemes like http(s)://
. This leads to a violation of the Same Origin Policy and allows an attacker both to steal the user’s data and to interact with any other Internet services on behalf of the Android application. setJavaScriptEnabled
allows execution of JavaScript in the context of a running application. Performing a man-in-the-middle (MitM) attack or tampering with a server response, an attacker can inject and execute arbitrary JavaScript code. This can lead to information leakage or remote code execution in specific scenarios.webview-javascript.yaml
and webview-universal-access.yaml
on a decompiled Android app to identify the insecure WebView properties in use.setAllowUniversalFileAccessFromFileURLs
we are able to exfiltrate InsecureShop application's localstorage data to the remote domain.