Android : JavaScript interface in WebView

The addJavascriptInterface() method is called for a WebView class instance. This method allows to inject a Java-object into the current WebView instance and invoke methods of this object from JavaScript code on the displayed web page. This mechanism can be used for reflection injection attacks in Android 4.1 and below. This leads to severe consequences up to the attacker obtaining complete control over the device.

WebView class is used to load and display web pages, including those containing JavaScript code. addJavascriptInterface() method injects a Java object into the current instance of WebView and gives the ability to call public methods of this object from JavaScript code. In Android 4.1 and below, this mechanism allows to conduct a reflection injection attack. Such attacks are extremely dangerous as they allow an attacker to invoke public methods of arbitrary classes in the context of the application. As a result, an attacker can significantly affect the functionality of the application, bypass authentication mechanisms, violate the confidentiality of user data, and in the worst case get a full privileged access to the device.

Applications developed for API Level 17 (JELLY_BEAN) and below are most vulnerable to such an attack. In applications developed for API Level 18 (JELLY_BEAN_MR1) and above, only public Java-object methods tagged with the @JavascriptInterface annotation are accessible from JavaScript code. Such applications are also at risk, if the device is running Android below 4.2.