Audit: Web views should not have access to files JAVA-A1028
Avoid granting file access privileges to web views.
Web views are containers for regular web pages, and as such have very similar considerations for security.
If a security flaw were discovered which could help an attacker inject malicious JavaScript code into the displayed web content, any malicious code could use this to access files from an affected device.
Bad Practice
The setAllowFileAccess() and setAllowContentAccess() methods must not be called with true as an argument.
WebView webView = someView.findViewById(R.id.some_web_view);
webView.getSettings().setAllowFileAccess(true);
webView.getSettings().setAllowContentAccess(true);
Recommended
Disallow file/content access for such web views. If you require a web view to access files on the device, consider binding a native interface to the web view. JavaScript code within it would then need to interact with the safe interface controlled by you, preventing unauthorized access.
References
- Android Developer Reference - Building web apps in WebView
- OWASP Top Ten (2021) - Category A03 - Injection
- OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-200 - Information Exposure