AwesomeWebView-Android icon indicating copy to clipboard operation
AwesomeWebView-Android copied to clipboard

Published 20 hours ago verified publisher icon hzw1199

Google PlayStore Warning

Open WilliamBrain opened this issue 5 years ago • 3 comments

When I published my app to the PlayStore it gives me a security warning in the Android Developer Console.

The warning is like this: The app contains a WebView which is vunerable to injecting code through the java script interface. Suspicious area: com.wuadam.awesomewebview.helpers.VideoJsHelper->addJavascriptInterface

And it says that the problem should be solved before 07/07/2019. I don't know what happens then ... maybe the app will be removed from the store?

In my code I never call this method. The call is here: awesomewebview/helpers/VideoJsHelper.java line 56-66. Wanted to let you know, maybe this helper class can be changed or improved for a future version.

WilliamBrain avatar Apr 14 '19 23:04 WilliamBrain

@WilliamBrain Thank you for reminding me and apology for delay of reply.

I found official remediation by Google: https://support.google.com/faqs/answer/9095419?hl=en-GB

and also some posts on Stackoverflow that may help: https://stackoverflow.com/questions/53679624/remediation-for-javascript-interface-injection-vulnerability https://stackoverflow.com/questions/53705818/how-to-address-remediation-for-javascript-interface-injection-vulnerability

Conclusion is that if possible, better use HTTPS on your app. If you use HTTP, JavaScriptInterface won't be allowed by Google Play. VideoJsHelper is a helper class to make video full screen. It contains JavaScriptInterface. If it is possible for your APP to only use HTTPS without HTTP, you can set android:usesCleartextTraffic to false in your Manifest to dismiss warning from Google Play.

hzw1199 avatar May 18 '19 15:05 hzw1199

@hzw1199 Your answer doesn't seems to relate the question, the major issue is the possibility of a malicious app inject javascript code through a interface(method) exposed by the WebView instance.

https://github.com/hzw1199/AwesomeWebView-Android/blob/bb75bd63cbc4effa36d9992123c3509c83c2628d/sample/src/main/java/com/wuadam/awesomewebview/sample/MainActivity.java#L54

ghost avatar Jul 25 '19 21:07 ghost

@gustavocagninzup This library inject javascript to make video fullscreen, just like what Google Play indicates: The app contains a WebView which is vunerable to injecting code through the java script interface. Suspicious area: com.wuadam.awesomewebview.helpers.VideoJsHelper->addJavascriptInterface.

.injectJavaScript("javascript: alert(\"This is js inject\")") is an interface of this library, it also injects javascript.

It's strange that all my apps use this library but I never have such warning from Google. Maybe I can improve this library. BTW thank you for your message @WilliamBrain @gustavocagninzup

hzw1199 avatar Sep 24 '19 08:09 hzw1199