From the course: Writing Secure Code for Android by Infosec

Unlock this course with a free trial

Join today to access over 24,900 courses taught by industry experts.

Cross-app scripting

Cross-app scripting

From the course: Writing Secure Code for Android by Infosec

Start my 1-month free trial Buy for my team

Cross-app scripting

- Okay, everyone, let's talk about something that is a uniquely Android vulnerability, cross-app scripting. Now, unlike cross-site scripting where you have two websites, in this case we're talking about two apps running on the same device. And what happens is that a WebView in one app is tricked by a malicious app into executing malicious JavaScript in an unsafe context. It can be vulnerable if, one, it enables JavaScript, and two, it loads data that is read from an untrusted intent. There was actually a historical example that was rather scandalous. The company Box had put out an SDK and it was available for quite some time and it had an actual vulnerability. And Google put out an advisory and they told people how to check for their own apps and make sure that the vulnerability is dealt with. Here's an example. I have an intent. I have a URL. I getStringExtra, this is just extra data read from the intent. Now, what if this URL points to the cookies database, the local cookies…

Contents