Presentation Material

Abstract

Webview: An in-app Web Browser created to ensure seamless user experience without context switching between browser and mobile application. It allows developers to display web content directly into their mobile application and supports the concept of code reuse thus Webviews are extensively used in current mobile application development. This presentation will cover the common Webview related security issues and the techniques to prevent those security issues and make the mobile applications secure and robust. We would be talking about the following common security issues and their prevention:

Insecure Deeplink implementation Insufficient URL validation Insufficient Webview hardening Lack of Webview isolation Unintended data leakage via misconfigured Webview In the later part of the presentation, we will cover the story behind getting the Chromium CVE:2021-21136 (https://bugs.chromium.org/p/chromium/issues/detail?id=1038002). A security issue in Android Webviews leads to leakage of sensitive data such as user’s auth tokens and shared secrets to the third party.

AI Generated Summary^{may contain errors}

Here is a summary of the content:

Main Topic: Securing WebViews in Mobile Apps

Key Points:

1. Avoid using UIWebView due to security concerns, I.e., JavaScript enabled by default and inability to programmatically disable it.
2. Use WKWebView as a successor, the successor to UIWebView, , (WKWebView comes with improved security features and disabled settings by default).
3. Follow the principle of least privileges while configuring WebViews:
   • Disable JavaScript if not required.
   • Use custom Chrome Tab and Safari View Controller for loading untrusted content or third-party contacts.
   • Implement strong URL validation against whitelisted domains.
4. Validate URLs correctly:
   • Avoid using getHost in Android due to insecurity.
   • Use getAuthority in Android and getHost in iOS.
   • Check the scheme (protocol) of the URL.
5. Be cautious when sharing sensitive information during third-party integrations:
   • Implement test cases to detect unintended data sharing.
   • Monitor network logs for sensitive content.

Conclusion: The presentation highlights the importance of securing WebViews in mobile apps, emphasizing the need to follow best practices and avoid common pitfalls.