Bifocals: Analyzing WebView Vulnerabilities in Android Applications

WebViews allow Android developers to embed a webpage within an application, seamlessly integrating native application code with HTML and JavaScript web content. While this rich interaction simplifies developer support for multiple platforms, it exposes applications to attack. In this paper, we explore two WebView vulnerabilities: excess authorization, where malicious JavaScript can invoke Android application code, and file-based cross-zone scripting, which exposes a device's file system to an attacker. We build a tool, Bifocals, to detect these vulnerabilities and characterize the prevalence of vulnerable code. We found 67 applications with WebView-related vulnerabilities ( 11 % of applications containing WebViews). Based on our findings, we suggest a modification to WebView security policies that would protect over 60 % of the vulnerable applications with little burden on developers.