问题
Good day all,
I got a email from google play regarding Cross-App Scripting Vulnerability in one or more my published apps. I am using WebView in my apps, so they says my app contains webView Cross-App Scripting issue which can allow malicious apps to steal user cookies and other data. And They give what action I am going to take, that is
Action required
Please follow the steps below to fix the issue with your apps (listed at the end of this email). You can refer to the notice in your Play Console for the deadline to fix this problem. After this deadline, updates to affected apps will be blocked if the vulnerability is still present. Your published APK version will remain unaffected. Additional details
WebViews that enable JavaScript and load data read from untrusted Intents can be tricked by malicious apps into executing JavaScript code in an unsafe context. You should prevent this vulnerability in one of the following ways:
Option 1: Ensure that affected activities are not exported
Find any Activities with affected WebViews. If these Activities do not need to take Intents from other apps you can set android:exported=false for the Activities in your Manifest. This ensures that malicious apps cannot send harmful inputs to any WebViews in these Activities.
Option 2: Protect WebViews in exported activities
If you want to set an Activity with an affected WebView as exported then we recommend that you make the following changes:
Update your targetSdkVersion
Ensure that your targetSdkVersion meets Google Play's target API level requirement. Apps with a targetSdkVersion of 16 or lower evaluate JavaScript URLs passed to loadUrl in the currently loaded page context. Targeting SDK version 16 or lower and calling loadUrl using unsanitized input from untrusted Intents lets attackers execute harmful scripts in the affected WebView.
Protect calls to evaluateJavascript
Ensure that parameters to evaluateJavascript are always trusted. Calling evaluateJavascript using unsanitized input from untrusted Intents lets attackers execute harmful scripts in the affected WebView.
Prevent unsafe file loads
Ensure that affected WebViews cannot load the cookie database. WebViews that load unsanitized file:// URLs from untrusted Intents can be attacked by malicious apps in the following way. A malicious web page can write script tags into the cookies database and then a malicious app can send an Intent with a file:// URL pointing to your WebView cookies database. The malicious script will execute if the cookies database is loaded in a WebView and can steal session information.
You can ensure that affected WebViews cannot load the WebView cookies database in two ways. You can either disable all file access or you can verify that any loaded file:// URLs point to safe files. Note that an attacker can use a symbolic link to trick checks on the URL path. To prevent such an attack, be sure to check the canonical path of any untrusted file:// URL before loading instead of just checking the URL path.
So my question is
If I make the changes mentioned in the email, how that will affect my apps?
Does any feature of my app will disabled ?
回答1:
The answer is it depends what you are using WebViews for. If you are just using a WebView as a convenient way of displaying a user interface from HTML, either hardcoded in your app or loaded from your webserver you won't have a problem. Just follow option 1, and then other apps won't be able to do CSS attacks on your web views.
If your app is designed to have webviews used by other apps the answer is a lot more complicated. You'll need to give much more information about what you are using your activities with webviews for, and how they are supposed to be used by other apps in your question.
回答2:
Go to the android Manifest, and if the web activity has the android:exported=”true“, Change it to android:exported=”false“
Go to the manifest, and add the following lines in the Webview activity
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
回答3:
Simplw Answer No There will be no changes in your app. basically
What Cross-application scripting (CAS) is ??
Cross-application scripting (CAS) is a vulnerability affecting applications that don't check input in an exhaustive way. CAS allows an attacker to insert data that modifies the behaviour of a particular application. This makes it possible to extract data from inside of the users' systems. Attackers may gain the full privileges of the attacked application when exploiting CAS vulnerabilities; the attack is to some degree independent of the underlying operating system and hardware architecture.
So Just put changes in your web app..
Go to this url for more info
https://www.acunetix.com/websitesecurity/cross-site-scripting/
回答4:
have your ranking droped after this incident?
回答5:
After a lot of struggle, below things worked for me
mWebView.getSettings().setAppCacheMaxSize(0);
mWebView.getSettings().setAllowFileAccess(false);
mWebView.getSettings().setAppCacheEnabled(false);
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
来源:https://stackoverflow.com/questions/53095398/google-play-warning-your-app-contains-a-cross-app-scripting-vulnerability