1 of 22

Behind Frenemy Lines

Webview and Deeplinks

2 of 22

Agenda

  • What are WebViews ?�
  • What are Deep Links ?

  • Capturing The {RED} Flags�
  • Demo�
  • Patc#ing

3 of 22

What are WebViews ?

4 of 22

WebView

  • Web content is available to users in two ways: in a traditional web browser and in an Android application via WebViews

  • Most trusted option to display first party content.�
  • Talks between your Android app and Web using an Interface.

5 of 22

WebView

  • The WebView class is an extension of Android's View class.�
  • It does not include any features of a fully developed web browser, such as navigation controls or an address bar.

  • Apps commonly use WebView along with Deep links.

6 of 22

WebView

7 of 22

WebView

  • WebView uses JavaScriptInterface for the interaction between the App native code and WebView.

8 of 22

What are Deep Links ?

9 of 22

Deeplinks

  • Deep Links is used to take users to a link's specific content directly in your app, bypassing the app-selection dialog.

  • For a deep link to redirect to a particular content the following are essential inside the AndroidManifest.xml file:
    • <action>

<category>

<data>

10 of 22

Deep linking

11 of 22

Deducing deep links

  • From manifest:

scheme://host/data

  • Deduced deeplinks:
  • http://www.vulbank.com/deeplogin
  • vulbank://deeplink�
  • Further parts of a deep link can be extracted by studying the activities where the deeplinks resolve

��

12 of 22

Deep linking

Code example how deeplink is received in Java/Kotlin and handled

13 of 22

RED FLAGS

14 of 22

#1 Risks in Deep links

  • Deep links can be triggered from anywhere (browser, SMS, other apps etc) and resolves in the background�
  • Deep links are not sanitized by default.

  • Deep links sometimes get directly opened in WebViews which have JavaScriptEnabled flag set.

  • An attacker can deduce the Deep link schema from an AndroidManifest.xml or using Automated tools and can easily fuzz with it

15 of 22

#2 Risks in WebView

  • WebViews do not sanitize content loaded into them by default.�
  • WebViews allow access to local storage & files

  • WebViews can have JavaScript enabled and run JS code

  • Attacks on JavaScript interfaces.

  • Attacks where universal/file access from file URLs is enabled.

16 of 22

Real-world implications

17 of 22

ABZBank

18 of 22

Fetching Access Token - JSInterface

  • ABZBank is a state-of-the-art application which have a great backend implementation.

  • ABZBank have a feature of One Tap Login where you can login from the Web to the app using a deep link.

  • App has an option to load external pages of the Privacy page which opens in a WebView.

19 of 22

Demo

20 of 22

Lets Patch It

21 of 22

Patc#ing

  • Thoroughly sanitize the deep links which come in to the app. Avoid taking URLs as input to deep links whenever possible. �
  • When URLs are passed, always verify domain.

  • Never let any deep link resolve into parts of the application that handle sensitive data/actions (example: Settings)

  • Always whitelist domains that load onto app’s WebViews. Use ChromeTabs or the default browser app to load untrusted domains

  • WebView settings should only be enabled as per requirements

22 of 22

# Reach out :)

> Twitter: amr_bal

> Email: amrbal@gmail.com��> LinkedIn: https://www.linkedin.com/in/amrudeshbal/