WebView JavaScript Bridge Injection
Description
Android WebView.addJavascriptInterface and similar JS bridges expose native methods to JavaScript. If untrusted content can run in the WebView, an attacker can call native methods and execute privileged actions.
Examples
Identify Bridges
rg -n "addJavascriptInterface\(|setJavaScriptEnabled\(true\)" src out
If pages from non‑trusted domains load in the same WebView where bridges are registered, code execution is possible.
Proof With Injected JS
Load a page you control that calls the exposed interface, e.g., window.App.doPrivilegedThing().
Remediation
- Avoid or scope bridges
- Prefer postMessage to a trusted origin; expose minimal, audited interfaces.
- Content isolation
- Load only trusted content; enforce allow‑lists and CSP; block file URLs and untrusted origins.
- Secure settings
- Disable JavaScript where not needed; disable debugging; use separate WebViews per trust level.