MASTG-TEST-0250: References to Content Provider Access in WebViews

Overview¶

This test checks for references to Content Provider access in WebViews which is enabled by default and can be disabled using thesetAllowContentAccess method in theWebSettings class. If improperly configured, this can introduce security risks such as unauthorized file access and data exfiltration.

The JavaScript code would have access to any content providers on the device such as:

• declared by the app,even if they are not exported.
• declared by other apps,only if they are exported and if they are not following recommendedbest practices to restrict access.

Refer toWebView Content Provider Access for more information on thesetAllowContentAccess method, the specific files that can be accessed and the conditions under which they can be accessed.

Example Attack Scenario:

Suppose a banking app uses a WebView to display dynamic content. The developers have not explicitly set thesetAllowContentAccess method, so it defaults totrue. Additionally, JavaScript is enabled in the WebView as well as thesetAllowUniversalAccessFromFileURLs method.

1. An attacker exploits a vulnerability (such as an XSS flaw) to inject malicious JavaScript into the WebView. This could occur through a compromised or malicious link that the WebView loads without proper validation.
2. Thanks tosetAllowUniversalAccessFromFileURLs(true), the malicious JavaScript can issue requests tocontent:// URIs to read locally stored files or data exposed by content providers. Even those content providers from the app that are not exported can be accessed because the malicious code is running in the same process and same origin as the trusted code.
3. The attacker-controlled script exfiltrates sensitive data from the device to an external server.

Note 1: We do not considerminSdkVersion sincesetAllowContentAccess defaults totrue regardless of the Android version.

Note 2: The provider'sandroid:grantUriPermissions attribute is irrelevant in this scenario as it does not affect the app itself accessing its own content providers. It allowsother apps to temporary access URIs from the provider even though restrictions such aspermission attributes, orandroid:exported="false" are set. Also, if the app uses aFileProvider, theandroid:grantUriPermissions attribute must be set totrue bydefinition (otherwise you'll get aSecurityException: Provider must grant uri permissions").

Note 3:allowUniversalAccessFromFileURLs is critical in the attack since it relaxes the default restrictions, allowing pages loaded fromfile:// to access content from any origin, includingcontent:// URIs.

If this setting is not enabled, the following error will appear inlogcat:

[INFO:CONSOLE(0)] "Access to XMLHttpRequest at 'content://org.owasp.mastestapp.provider/sensitive.txt'from origin 'null' has been blocked by CORS policy: Cross origin requests are only supportedfor protocol schemes: http, data, chrome, https, chrome-untrusted.", source: file:/// (0)

While thefetch request to the external server would still work, retrieving the file content viacontent:// would fail.

Steps¶

1. Use a tool like semgrep to search for references to:
   • theWebView class.
   • theWebSettings class.
   • thesetJavaScriptEnabled method.
   • thesetAllowContentAccess method from theWebSettings class.
   • thesetAllowUniversalAccessFromFileURLs method from theWebSettings class.
2. Obtain all content providers declared in the app's AndroidManifest.xml file.

Observation¶

The output should contain:

• A list of WebView instances including the following methods and their arguments:
  • setAllowContentAccess
  • setJavaScriptEnabled
  • setAllowUniversalAccessFromFileURLs
• A list of content providers declared in the app's AndroidManifest.xml file.

Evaluation¶

Fail:

The test fails if all of the following are true:

• setJavaScriptEnabled is explicitly set totrue.
• setAllowContentAccess is explicitly set totrue ornot used at all (inheriting the default value,true).
• setAllowUniversalAccessFromFileURLs method is explicitly set totrue.

You should use the list of content providers obtained in the observation step to verify if they handle sensitive data.

Note: ThesetAllowContentAccess method being set totrue does not represent a security vulnerability by itself, but it can be used in combination with other vulnerabilities to escalate the impact of an attack. Therefore, it is recommended to explicitly set it tofalse if the app does not need to access content providers.

Pass:

The test passes if any of the following are true:

• setJavaScriptEnabled is explicitly set tofalse ornot used at all (inheriting the default value,false).
• setAllowContentAccess method is explicitly set tofalse.
• setAllowUniversalAccessFromFileURLs method is explicitly set tofalse.

Mitigations¶

• Securely Load File Content in a WebView
• Disable JavaScript in WebViews
• Disable Content Provider Access in WebViews

Demos¶

MASTG-DEMO-0029: Uses of WebViews Allowing Content Access with semgrep