您的应用正在使用易受跨应用脚本攻击的 WebView Android PlayStore 警告

Question

In whistleIt we load static url in webview and handle notification and other things but in last 2 versions we receive warning

Your app(s) are using a WebView that is vulnerable to cross-app scripting

We are not using android:exported=”true“ in our activity also i am using below code in Webview activity but still getting warning email.

<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />

what should i do now so our warning will get removed?

Answer 1

Please add this line of code in your project manifest.xml

<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
 android:value="true" />

Answer 2

according to https://support.google.com/faqs/answer/9084685?hl=en-GB

you can do 2 things

1 Ensure that affected activities are not exported

Find any Activities with affected WebViews. If these Activities do not need to take Intents from other apps you can set android:exported=false for the Activities in your Manifest. This ensures that malicious apps cannot send harmful inputs to any WebViews in these activities.

2 Protect WebViews in exported activities

If you want to set an Activity with an affected WebView as exported then we recommend that you make the following changes:

1 Protect calls to evaluateJavascript and loadUrl

Ensure that parameters to evaluateJavascript are always trusted. Calling evaluateJavascript using unsanitised input from untrusted intents lets attackers execute harmful scripts in the affected WebView. Similarly, calling loadUrl with unsanitised input containing javascript: scheme URLs lets attackers execute harmful scripts.

2 Prevent unsafe file loads

Ensure that affected WebViews cannot load the cookie database. WebViews that load unsanitised file:// URLs from untrusted intents can be attacked by malicious apps in two steps. First step: a malicious web page can write tags into the cookies database. Second step: this modified cookies database file can be loaded if a malicious app sends an intent with a file:// URL pointing to your WebView cookies database, or if the malicious web page itself redirects your WebView to the file URL. The malicious

stored in the cookies database will load and execute, which can steal session information.

You can ensure that affected WebViews cannot load the WebView cookies database in three ways.

1. Disable all file access.
2. Make sure that the WebView only loads file:// URLs and verify that any loaded file:// URLs point to safe files. Note that an attacker can use a symbolic link to trick checks on the URL path. To prevent such an attack, make sure that you check the canonical path of any untrusted file:// URL before loading instead of just checking the URL path.
3. If you want to allow both http:// URLs and file:// URLs, implement the file:// URL verification using shouldOverrideUrlLoading and shouldInterceptRequest in WebViewClient. This ensures that all URLs loaded into WebView are verified, not limited to the URLs directly provided to a loadUrl() function call.