[2018年最新整理]androidWebView详解,常见漏洞详解和安全源码(下).docVIP

android WebView详解，常见漏洞详解和安全源码（下） WebView 常见漏洞 　　WebView 的漏洞也是不少，列举一些常见的漏洞，实时更新，如果有其他的常见漏洞，知会一下我～～ WebView 任意代码执行漏洞 　　已知的 WebView 任意代码执行漏洞有 4 个，较早被公布是 CVE-2012-6636，揭露了 WebView 中 addJavascriptInterface 接口会引起远程代码执行漏洞。接着是 CVE-2013-4710，针对某些特定机型会存在 addJavascriptInterface API 引起的远程代码执行漏洞。之后是 CVE-2014-1939 爆出 WebView 中内置导出的 “searchBoxJavaBridge_” Java Object 可能被利用，实现远程任意代码。再后来是 CVE-2014-7224，类似于 CVE-2014-1939 ，WebView 内置导出 “accessibility” 和 “accessibilityTraversal” 两个 Java Object 接口，可被利用实现远程任意代码执行。 　　一般情况下，WebView 使用 JavaScript 脚本的代码如下所示： WebView mWebView = (WebView)findViewById(R.id.webView); WebSettings msetting = mWebView.getSettings(); msetting.setJavaScriptEnabled(true); mWebView.addJavascriptInterface(new TestJsInterface(), “testjs”); mWebView.loadUrl(url); CVE-2012-6636 和 CVE-2013-4710 　　Android 系统为了方便 APP 中 Java 代码和网页中的 Javascript 脚本交互，在 WebView 控件中实现了 addJavascriptInterface 接口，如上面的代码所示，我们来看一下这个方法的官方描述： This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for apps targeting JELLY_BEAN or earlier. Apps that target a version later than JELLY_BEAN are still vulnerable if the app runs on a device running Android earlier than 4.2. The most secure way to use this method is to target JELLY_BEAN_MR1 and to ensure the method is called only when running on Android 4.2 or later. With these older versions, JavaScript could use reflection to access an injected objects public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content. JavaScript interacts with Java object on a private, background thread of this WebView. Care is therefore required to maintain thread safety.The Java objects fields are not accessible. For applications target