Exploiting Android WebView

Mostafa Elguerdawi
3 min readSep 7, 2023

Hello All, I am Mostafa Elguerdawi and This is my first bug ever in Android Bug Hunting, So let’s start.

What is WebView?

In Android development, a WebView is a UI component that allows you to display web content within your Android app. It is essentially a widget that can render web pages, HTML content, and web-based applications directly within your app's user interface. This is particularly useful when you want to integrate web content or web functionality into your Android application.

Steps I took to discover this bug

  • First I downloaded the application from Play Store into my machine
  • Using adb(Android Debug Bridge) I pushed the application into my emulator : adb push app.apk
  • After that, I started the static analysis, I decompiled the application using apktool with command :
apktool d <appname>
  • Then Converted Android DEX (Dalvik Executable) files into JAR (Java Archive) files by Reverse the app

From apktool result there is file called AndroidManifest.xml

The AndroidManifest.xml file is an essential component of an Android application. It is an XML file that provides critical information about the app to the Android operating system and other components, such as the activities, package manager, runtime environment, and app installer

I started to analyze it, and see exported activities or providers.

After a lot time of reading and understand the app I found an Activity that exported called : com.redacted.android.deeplink.WebViewActivity

I decided to go to jd-gui and see the code responsible for this activity

    String str = getIntent().getStringExtra("extra_url");
if (str == null)
return;

This code retrieves a string extra named "extra_url" from the activity's intent. If the extra is null, the method returns early, indicating that there's nothing more to do.

    if (LinkUtils.isDynamicLink(str)) {
startScreenFromDynamicLink(str);
return;
}

Here, it checks if the str (URL) obtained from the intent is a dynamic link using LinkUtils.isDynamicLink(str). If it is, it calls the startScreenFromDynamicLink method to handle the dynamic link and returns. Otherwise, it proceeds to load the URL into a WebView.

  public static final class Companion {
private Companion() {}

public final Intent newIntent(Context param1Context, String param1String) {
Intrinsics.checkNotNullParameter(param1Context, "context");
Intrinsics.checkNotNullParameter(param1String, "url");
Intent intent = new Intent(param1Context, WebViewActivity.class);
intent.putExtra("extra_url", param1String);
return intent;
}
}
}

This inner class, Companion, is responsible for creating new WebViewActivity instances via the newIntent method. It ensures that the required URL is passed as an extra when creating an intent for this activity.

In summary, this code defines an Android WebViewActivity that handles dynamic links and displays web content within a WebView.

After reviewing the code, I was not 100% sure where is bug.

Using adb I tried to manipulate the string extra ‘extra_url’ to display webviews

adb shell am start -n com.redacted.android/.deeplink.WebViewActivity --es "extra_url" "javascript:alert('XSS')"
  • adb shell am start: This part of the command is used to start an Android activity.
  • -n com.redacted.android/.deeplink.WebViewActivity: The -n flag is used to specify the component name of the activity to be started.
  • --es "extra_url" "javascript:alert('XSS')": This part of the command is specifying an extra parameter for the activity. It's setting a key-value pair where the key is "extra_url" and the value is "javascript:alert('XSS')".
  • This code will display an alert dialog with the message ‘XSS’

After launch the command I go back to my emulator and I found its Success

--

--