Links in apps don't always open in the browser – the user can stay in the mobile app interface. Such embedded web pages, for example, are available in social networks and instant messengers. You can create them using the WebView component, which has recently become very popular in mobile development.
High interest in it arose against the background of many advantages. However, experts warn that you need to use the technology wisely. It contains vulnerabilities that may be of interest to cyber scammers.
There are obvious advantages on the user side as well: WebView provides faster content loading speed and less device resources than when clicking on a link in a third-party browser.
Another case – WebView is used as a separate development stage or as an MVP (Minimal Viable Product). This component helps you quickly evaluate how the feature will be implemented on two platforms at once – in the app and on the web. The same applies to the appearance of bugs and vulnerabilities. They are also easier to track when the component is enabled.
Finally, the third popular use case for WebView is that it can completely replace a company's website. It was recently used by financial and other organizations that had to face sanctions on the network.
Usually, vulnerabilities in WebView are detected before attackers can take advantage of them. This is what happened with the Galaxy App Store, which Samsung announced in early 2023. Also, the story of a bug in the Tik-Tok webview component, which Microsoft discovered in 2022, ended without victims.
According to experts, the main problem with WebView is the same as with any third-party browser. It means that it can be accessed by unauthorized persons and information that is sent to the back-end of the application can be intercepted. In particular, there are always risks of an XSS attack, in which an attacker inserts malicious code on a web page and steals user data.
At the same time, as a component that is responsible for opening links, WebView can display pages both from a remote site and those that are stored locally. Most often – in the app's resources.
The expert recalls that WebView is also a fragment of the Android ecosystem, so we can't rule out problems with data storage. They may not be tied to the app's business scenario, but they can be used on some screens, saved locally, and stored for a very long time.
At the same time, experts agree that you need to start building protection with a competent audit of the application. Only it will let you know what measures will be needed in each specific case and whether WebView is needed at all.
However, WebView is increasingly becoming a mandatory step in creating a mobile app. It helps you test hypotheses, replace site pages, and even solve companies problems related to sanctions.
All of these are important reasons to be aware of vulnerabilities when connecting a component. Fortunately, there aren't many of them.
High interest in it arose against the background of many advantages. However, experts warn that you need to use the technology wisely. It contains vulnerabilities that may be of interest to cyber scammers.
What is WebView?
Android System WebView is a system component that is responsible for opening web pages inside other applications. It allows you to track user actions – you have access to detailed statistics. You can't do this by clicking on the link in a third-party browser.There are obvious advantages on the user side as well: WebView provides faster content loading speed and less device resources than when clicking on a link in a third-party browser.
Why is it popular
Recently, WebView has been particularly interesting for marketers. They use it as an inexpensive testing ground to test their hypotheses. In WebView, you can build communication with the client in different ways – for example, add an online chat and push notifications, and then track the response. It also makes it easier to test marketing scenarios and segment your target audience.Another case – WebView is used as a separate development stage or as an MVP (Minimal Viable Product). This component helps you quickly evaluate how the feature will be implemented on two platforms at once – in the app and on the web. The same applies to the appearance of bugs and vulnerabilities. They are also easier to track when the component is enabled.
Finally, the third popular use case for WebView is that it can completely replace a company's website. It was recently used by financial and other organizations that had to face sanctions on the network.
Fly in the ointment, or What's wrong with WebView
Despite its popularity and advantages, an embedded browser is often fraught with cyber threats. And, as a rule, this is not the fault of the developers of the Android application.Usually, vulnerabilities in WebView are detected before attackers can take advantage of them. This is what happened with the Galaxy App Store, which Samsung announced in early 2023. Also, the story of a bug in the Tik-Tok webview component, which Microsoft discovered in 2022, ended without victims.
According to experts, the main problem with WebView is the same as with any third-party browser. It means that it can be accessed by unauthorized persons and information that is sent to the back-end of the application can be intercepted. In particular, there are always risks of an XSS attack, in which an attacker inserts malicious code on a web page and steals user data.
At the same time, as a component that is responsible for opening links, WebView can display pages both from a remote site and those that are stored locally. Most often – in the app's resources.
The expert recalls that WebView is also a fragment of the Android ecosystem, so we can't rule out problems with data storage. They may not be tied to the app's business scenario, but they can be used on some screens, saved locally, and stored for a very long time.
Safety precautions with WebView
To ensure that an app with a built-in browser is protected from Android, Cyber Media's interlocutors advise:- use HTTPS-interaction with servers hosting the back-end must be encrypted,
- properly manage SSL – you need to consider the situation when a secure connection cannot be established,
- enable javascript only for secure content that you can manage yourself,
- disable WebView access to the device's file system,
- create whitelists of addresses that can be accessed by the built-in browser,
- always check the source and content of web pages before integrating them with WebView,
- monitor and filter all user data before displaying it in the built-in browser, and use the Content Security Policy (CSP) to restrict the sources from which content is allowed to be downloaded.,
- regularly update used libraries and APIs to avoid vulnerabilities associated with outdated code.,
- restrict access to cross-site resources – configure WebView so that it does not grant access to resources of other sites, thereby preventing data leakage,
- regularly test the app's security for vulnerabilities using specialized tools and services.
At the same time, experts agree that you need to start building protection with a competent audit of the application. Only it will let you know what measures will be needed in each specific case and whether WebView is needed at all.
Results
What is WebView? This is primarily a convenient developer tool. At best, it can be an advantage that the app owner and users will appreciate. At worst, intruders.However, WebView is increasingly becoming a mandatory step in creating a mobile app. It helps you test hypotheses, replace site pages, and even solve companies problems related to sanctions.
All of these are important reasons to be aware of vulnerabilities when connecting a component. Fortunately, there aren't many of them.
