Android Webview Content Access Enabled

ID

kotlin.android_webview_content_access_enabled

Severity

critical

Resource

Information Leak

Language

Kotlin

Tags

CWE:200, NIST.SP.800-53, PCI-DSS:6.5.8, android

Description

When WebView is set to allow content access it may expose protected content via the content:// URLs.

Rationale

The WebView component in Android applications can optionally provide access to content providers using content:// URLs through the setAllowContentAccess setting. While this capability might be necessary for certain applications, it can pose a security risk by exposing sensitive or protected content to JavaScript running inside the WebView.

For applications that do not require this feature, it is recommended to disable content access to minimize security vulnerabilities. Failure to do so could result in unauthorized content exposure, which might be exploited by malicious code to access confidential information.

Example of insecure Kotlin code:

val appView = WebView(this)
val webSettings = appView.settings

// BAD: WebView is configured to allow content access
webSettings.allowContentAccess = true

In this example, the WebView is configured to allow access to content providers, potentially allowing JavaScript access to protected content.

Remediation

To remediate the risks associated with the WebView content access feature, implement the following:

  1. Disable Content Access: If your application does not require interaction with content:// URLs, explicitly disable this setting.

  2. Review Content Access Requirements: Assess whether your app genuinely needs to use content access. Limit use to only trusted content and contexts.

  3. Test for Security: Perform thorough testing to ensure that no unintended content exposure occurs when content:// access is necessary.

Secure Kotlin code example:

val appView = WebView(this)
val webSettings = appView.settings

// GOOD: WebView is configured to disallow content access
webSettings.allowContentAccess = false

References