Android JavascriptInterface solving vulnerability below api 17

Question

I have an application which acts like browser and display results in android webview. Among them, some results are rendered from my own server and uses javascriptInterface object to call Java methods.

Inside WebviewClient shouldOverrideUrlLoading() method, I added javascriptInterface only for selective urls of my server and removed javascriptInterface for remaining urls as code shown below:

if(url.contains("mypage1.html")||url.contains("mypage2.html")){ webView.addJavascriptInterface(new JavaScriptInterface(),"XYZ"); } else { webView.removeJavascriptInterface("XYZ"); }

A dummy url myevilpage.html containing evil javascript is also loaded along with mypage1.html and mypage2.html. I have verified that myevilpage.html javascript couldn't call Java methods.

Is this approach okay for ensuring no urls other than my specific urls could bind using javascriptInterface bridge?

I have already referred the following links:
http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavascriptinterface
Android App using Webview/javascript. what can be security concern?
Android JavascriptInterface Security?

Answer 1

Is this approach okay for ensuring no urls other than my specific urls could bind using javascriptInterface bridge?

No. You are using contains() and not equals(), so an attacker can trivially craft a URL that happens to have those substrings. Also, there may be timing issues, as you are determining the availability of the JS interface before that page is loaded, which means you are immediately affecting the currently-loaded page.

There would still be other possible attacks (e.g., proxy servers, evil JS served by those pages through ad networks or other third-party sources) that URL detection would not catch, though addressing those would be difficult at best.