Android Webview File Access Enabled

ID

kotlin.android_webview_file_access_enabled

Severity

critical

Resource

Information Leak

Language

Kotlin

Tags

CWE:200, NIST.SP.800-53, PCI-DSS:6.5.8, android

Description

Enabling unrestricted file access in WebView settings can expose sensitive files and increase the risk of security vulnerabilities.

Rationale

Allowing file access in Android’s WebView, especially with settings like setAllowFileAccess, setAllowFileAccessFromFileURLs, and setAllowUniversalAccessFromFileURLs, can inadvertently open up access to local files and network resources. This can lead to unauthorized access or modification of files, resulting in potential data leaks or injection attacks.

Such configurations are a security risk, particularly when loading content from untrusted sources. It’s crucial to limit file access permissions and ensure that only trusted content can interact with local resources.

package com.example.insecurewebview

import android.os.Bundle
import android.webkit.WebSettings
import android.webkit.WebView
import androidx.appcompat.app.AppCompatActivity

class MainActivity : AppCompatActivity() {

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)

        val webView: WebView = findViewById(R.id.webview)
        val settings: WebSettings = webView.settings

        // Insecure: Enabling file access
        settings.setAllowFileAccess(true) // FLAW
        settings.setAllowFileAccessFromFileURLs(true) // FLAW
        settings.setAllowUniversalAccessFromFileURLs(true) // FLAW

        webView.loadUrl("file:///android_asset/sample.html")
    }
}

Remediation

To mitigate security risks, disable unnecessary file access options in WebView settings. By default, file access should be disabled unless explicitly needed, and only for known, trusted content.

package com.example.securewebview

import android.os.Bundle
import android.webkit.WebSettings
import android.webkit.WebView
import androidx.appcompat.app.AppCompatActivity

class MainActivity : AppCompatActivity() {

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)

        val webView: WebView = findViewById(R.id.webview)
        val settings: WebSettings = webView.settings

        // Secure: Disabling file access by default
        settings.setAllowFileAccess(false)
        settings.setAllowFileAccessFromFileURLs(false)
        settings.setAllowUniversalAccessFromFileURLs(false)

        // Load secure, trusted content
        webView.loadUrl("file:///android_asset/sample.html")
    }
}

References