MASTG-BEST-0012: Disable JavaScript in WebViews

If JavaScript isnot required, explicitly disable it in WebViews by settingsetJavaScriptEnabled(false).

Enabling JavaScript in WebViewsincreases the attack surface and can expose your app to severe security risks, including:

• Cross-Site Scripting (XSS): Malicious JavaScript can execute within the WebView, leading to session hijacking, credential theft, or defacement.
• Data Exfiltration: WebViews can access sensitive data such as cookies, tokens, or local files (e.g., viafile:// orcontent:// URIs whensetAllowFileAccess(true),setAllowFileAccessFromFileURLs(true), orsetAllowContentAccess(true) are enabled) which can be exfiltrated by malicious scripts ifsetAllowUniversalAccessFromFileURLs(true) is set.
• Unauthorized Device Access: JavaScript can be used in conjunction withaddJavascriptInterface to exploit exposed native Android interfaces, leading to remote code execution (RCE).

Sometimes this is not possible due to app requirements. In those cases, ensure that you have implemented proper input validation, output encoding, and other security measures.

Note: sometimes you may want to use alternatives to regular WebViews, such asTrusted Web Activities orCustom Tabs, which provide a more secure way to display web content in your app. In those cases, JavaScript is handled within the browser environment, which benefits from the latest security updates, sandboxing, and mitigations against common web vulnerabilities such as Cross-Site Scripting (XSS) and Machine-in-the-Middle (MITM) attacks.

Tests¶

MASTG-TEST-0250: References to Content Provider Access in WebViews MASTG-TEST-0251: Runtime Use of Content Provider Access APIs in WebViews MASTG-TEST-0252: References to Local File Access in WebViews MASTG-TEST-0253: Runtime Use of Local File Access APIs in WebViews