Android Webview Java and Javascript safe interaction

Recently, I need to detect the source code of a web page. There is no direct interface to obtain the source code of the web page in Android Webview. The traditional addJavascriptInterface method has security risks, so I studied the security interaction between Java and Javascript.

Android Webview Vulnerability

Android Webview has two very well-known vulnerabilities:

• The recently exposed UXSS vulnerability can bypass the same-origin policy and obtain the cookies and other information of any web page. This problem exists on Android 4.4 and below, and there is basically no solution. It can only be solved by recompiling the browser kernel. For details, please refer to the recent mobile security events. If you are interested, you can watch the video of @RAyH4c hijacking Weibo and QQ space.
• The long-known arbitrary command execution vulnerability, through the addJavascriptInterface method, Js can call Java object methods, through the reflection mechanism, Js can directly obtain the Runtime, and thus execute arbitrary commands. For Android 4.2 and above, you can ensure security by declaring @JavascriptInterface. For Android 4.2 and below, you can no longer call addJavascriptInterface, and you need to find another way.

Safe interaction between Java and Javascript

First of all, a few points:

1. It is easy to call Js methods from Java in Android Webview. loadUrl("javascript:isOk()") can call the isOk Js method, but the return result of the Js method cannot be directly obtained.

 class JsObject {
 @JavascriptInterface  
 public String toString() { return   "injectedObject" ; }
 }
    webView.addJavascriptInterface( new JsObject(), "injectedObject" );
    webView.loadData( "" , "text/html" , null );
    webView.loadUrl( "javascript:alert(injectedObject.toString())" );

2. In the traditional method, Js can obtain Java information in the following ways:

 import android.app.Activity;
 import android.graphics.Bitmap;
 import android.os.Bundle;
 import android.util.Log;
 import android.webkit.WebView;
 import android.webkit.WebViewClient; 
 
 public   class HtmlSource extends Activity {
 private WebView webView; 
 
 @Override  
 public   void onCreate(Bundle savedInstanceState) {
 super .onCreate(savedInstanceState);
        setContentView(R.layout.main);
        webView = (WebView)findViewById(R.id.webview);
        webView.getSettings().setJavaScriptEnabled( true );
        webView.addJavascriptInterface( new InJavaScriptLocalObj(), "local_obj" );
        webView.setWebViewClient( new MyWebViewClient());
        webView.loadUrl( "http://www.cnblogs.com/hibraincol/" );
 } 
 
 
 final   class MyWebViewClient extends WebViewClient{
 public   boolean shouldOverrideUrlLoading(WebView view, String url) {
            view.loadUrl(url);
 return   true ;
 }
 public   void onPageStarted(WebView view, String url, Bitmap favicon) {
            Log.d( "WebView" , "onPageStarted" );
 super .onPageStarted(view, url, favicon);
 }
 public   void onPageFinished(WebView view, String url) {
            Log.d( "WebView" , "onPageFinished " );
            view.loadUrl( "javascript:window.local_obj.showSource('<head>'+" +
 "document.getElementsByTagName('html')[0].innerHTML+'</head>');" );
 super .onPageFinished(view, url);
 }
 } 
 
 final   class InJavaScriptLocalObj { 
 
 public   void showSource(String html) {
            Log.d( "HTML" , html);
 }
 }
 }

3. When there is a hyperlink jump in the web page, the shouldOverrideUrlLoading method of WebClient will be called. If WebViewClient is set and the method returns true, it means that the URL is processed by the application code and WebView does not, which can achieve the effect of intercepting the jump.

Understanding the above points, we can summarize a relatively safe way for Java and Js to interact :

We can learn from the idea of ​​Android Intent. Java and Js define a URL format such as js://_. Java calls the Js method. In the Js method, window.location.href='js://_?key=value#key1=value1' is used to simulate the jump. It is captured by Java's shouldOverrideUrlLoading. The return value of the function can be placed in the URL parameter. (The principle of Js calling Java methods is the same)

This interaction method is asynchronous. What if you want to know whether calling a Js method returns a value? Generally, Java calls the Js method in the onPageFinished method, and obtains the Js return value in the shouldOverrideUrlLoading method. The two methods have a common parameter webview, so you can first call webview.setTag(false). If the return result is captured, then call webview.setTag(true). After a short time, such as 300 milliseconds, call webview.getTag() to check whether there is any change.