Reputation: 1758
Remediation for JavaScript Interface Injection Vulnerability
I received a warning from Google Play Console that refers me to this page because I used JavaScript Interface in my app and suggest two options to solve the problem .
Option 1 tells :
Ensure that there are no objects added to the JavaScript interface of any WebView that loads untrusted web content. You can do this in two ways:
Ensure that no objects are ever added to the JavaScript interface via calls to addJavascriptInterface.
Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView.
but I can't understand what google exactly says specially on :
Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView
can someone tell me more explanation ?
Upvotes: 7
Views: 3540
Answers (3)
Reputation: 879
You can resolve this issue in following ways:
- If your website supports HTTPS, use "https://" prefix in loadUrl method.
- You can set android:usesCleartextTraffic to false in your Manifest or set a Network Security Config that disallows HTTP traffic. It also means that your website should run on HTTPS.
Now, coming to your question about "Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView" : It mean that your app should remove (or disable) JavaScriptInterface whenever there is any non HTTPS URL is loaded within the WebView.
After doing any of these, you need to update APK on Play Console.
Conclusion is that if you want to use JavaScriptInterface, better use HTTPS on your website. If you use HTTP, JavaScriptInterface won't be allowed by Google Play.
Upvotes: 3
Reputation: 1758
I just release an update without doing something special and warning disappeared BUT not sure it will came back again or not
Upvotes: 0
Reputation: 43
I faced the same problem, and have not been able to figure this out, either. What worked for me, documented in How to address "Remediation for JavaScript Interface Injection Vulnerability"?, was to use WebView.evaluateJavascript. Alas, that is not a full replacement for all use cases of JavascriptInterface, but maybe it's sufficient for your purposes.
Upvotes: 0
Related Questions
- Android 4.2.1, WebView and javascript interface breaks
- Your app(s) are using a WebView that is vulnerable to cross-app scripting Android PlayStore Warning
- Android JavascriptInterface Security?
- Your app includes a WebView that is vulnerable to cross app scripting
- Android Webview Javascript Injection
- Javascript injection into webview
- Android webview SKIPS javascript even with setJavascriptEnabled(true) and WebChromeClient
- Android JavascriptInterface solving vulnerability below api 17
- Make javascript injection compatible for api 16
- Javascript injection problem in Android 2.1 emulator but fine in 2.2