WebView vulnerability:
**
AdJavascriptInterface () Interface ** in WebView
One way JS calls Android is to map objects through the addJavascriptInterface interface:
// Parametric 1: Android's local object // Parametric 2: JS object // By associating local objects in Android with objects in JS through object mapping, the object and method of calling Android by JS can be realized. mWebView.addJavascriptInterface(new MyJSInterface(),"androidJsInterface");
Because WebView binds a Java object through addJavascriptInterface, according to Java's reflection mechanism, it can get more instance objects than more methods, and indirectly, and operate on them:
try { Runtime runtime = (Runtime) this.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null); Process process = runtime.exec("date"); InputStream inputStream = process.getInputStream(); BufferedInputStream bufferedInputStream = new BufferedInputStream(inputStream); byte[] b = new byte[1024]; bufferedInputStream.read(b); String dateString = new String(b,"utf-8"); Toast.makeText(this,dateString,Toast.LENGTH_LONG).show(); } catch (IllegalAccessException e) { e.printStackTrace(); } catch (InvocationTargetException e) { e.printStackTrace(); } catch (NoSuchMethodException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); }
This is Java, which gets Runtime from the current instance and then lets it execute the date command. The same is true in JS.
Solution
(1) After Android 4.2
In version 4.2 of Android, Google stipulates that the called function be annotated with @JavascriptInterface to avoid vulnerability attacks:
private static class MyJSInterface{ @JavascriptInterface public void showMessage(String msg){ Log.d("JS Interface Message#",msg); } }
(2) Before Android 4.2, it was difficult to fix the vulnerability by intercepting prompt().