High‑Risk Android WebView Cross‑Origin Access Vulnerability – Description, Impact, Detection, and Mitigation

On January 9 2018, the National Information Security Vulnerability Sharing Platform issued a security announcement about a high‑risk cross‑origin access vulnerability in the Android WebView component.

Vulnerability Description: An attacker can remotely obtain user privacy data—including app data, photos, documents, and login credentials—and gain full control of the victim’s app accounts without detection, posing a serious threat due to the component’s extensive use on Android.

Impact Scope: Numerous popular Android apps were found to contain an “app cloning” vulnerability, affecting roughly 10 % of mainstream apps. The announcement notes that 360’s own apps are not affected because they have been protected from this threat from the development stage.

How to Detect: Use 360’s Fireline code‑analysis tool (available at magic.360.cn) to scan the code. Install the Fireline Android Studio plugin for developers or the Fireline Jenkins plugin for testers, then review the generated report to confirm whether the “app cloning” vulnerability exists.

Mitigation Recommendations:

1. When file‑domain access is not required, set the APIs setAllowFileAccessFromFileURLs and setAllowUniversalAccessFromFileURLs to false (these defaults were true before Android 4.1).

2. If file‑domain access is needed, whitelist file paths and strictly limit the accessible range:

• Static HTML files can be placed in assets or res directories (accessible via file:///android_asset and file:///android_res without enabling the APIs).

• Frequently updated HTML files should reside in /data/data/(app) to prevent third‑party replacement.

• When applying a whitelist, handle special cases such as “../../” to avoid bypass.

3. Prevent the app’s internal WebView from being invoked by untrusted third parties; check whether WebView‑hosting Activities are exported and whether exported Activities can launch the internal WebView via parameters.

4. Protect sensitive data stored in the app directory by encrypting it with device‑specific keys (e.g., IMEI, IMSI, Android_id) to make it harder for attackers to exploit the vulnerability.