WebViews can be dangerous – especially misconfigured WebViews. Let’s take two case studies – an Android email application and an advertising SDK, to explore the ramifications of using insecure WebViews. From these case studies, we’ll see that misconfigured WebViews can have serious implications. In particular, we’ll see that a misconfigured email application allowed remote users to steal files from a user’s Android device and we’ll see how an otherwise normal advertising SDK allowed advertisers to track users and read files from a user’s external storage.
Jesson Soto Ventura is a security consultant at Carve Systems, where he is routinely working on breaking something. When he isn’t breaking something at work, he’s working on hacking IoT devices and contributing to open source projects.