Analysis of Permission Accessing local file Leaked from Android WebView

1 permission description

WebView can open the local file by way of url, the way of controlling this privilege is

1
2
3
4
            // Set whether to allow other local files to be read by the Js code loaded by file url
            webSettings.setAllowFileAccessFromFileURLs (false);
            / / Set whether to allow Javascript loaded through the file url can access other sources (including http, https and other sources)
            webSettings.setAllowUniversalAccessFromFileURLs (false);

The default is turned on, in Android O, permissions tightening refinement may not be the problem
The root cause of the problem is that the app being used can read the local file it can access and the loss is viewed as a local file (which can be accessed by the APP).

2 Threat scenario analysis

The threat has been used in the following scenarios

2.1 The visited webpage is modified

General WebView is mainly used to access some more changes are not suitable for native implementation of the page or style complex but unchanging page. This page is generally obtained through the http protocol (including https), if the visit to the page is hijacked or the source server is directly attacked then visit the wrong will be a threat

2.2 Low Permissions APP Get the information through high authority APP

The same system, the general competence is the same. However, some systems or applications have gained root privileges, higher authority. Low Permissions APPs can use WebView as a springboard to directly access files that can not be accessed through these applications. However, the premise is that the WebView where the page can be opened by other App. High privileges here may not be limited to accessing system-level files, but may also be some APP-specific files, such as signature files, cached keys, etc., which can be accessed by only high-privilege APPs.

Fixed

It is recommended to close both permissions

1
2
3
4
// Set whether to allow other local files to be read by the Js code loaded by the file url
WebSettings.setAllowFileAccessFromFileURLs (false);
/ / Set whether to allow Javascript loaded through the file url can access other sources (including http, https and other sources)
WebSettings.setAllowUniversalAccessFromFileURLs (false);

If there is a need for local file access, try to turn off the JavaScript protocol

1
2
3
4
5
6
// Do not allow file protocol to load JavaScript
If (url.startsWith ("file: //") {
SetJavaScriptEnabled (false);
} else {
SetJavaScriptEnabled
}

ref

WebSettings
About WebView Permission Error