5

I've come across a hybrid Android app - meaning most of its UI is implemented in a WebView using HTML and JavaScript technologies. The app itself is connecting to the server and one of the possible responses can include evaluate field, which is then directly executed via JavaScript's eval() command.

Is this a security issue? What kind of attacks can attacker do via this attack vector?

Mavrik
  • 537
  • 1
  • 3
  • 7
  • 2
    That depends entirely who gets to write into that field. It might be safe, but it's most likely not. The reasons as to why `eval()` is such a big issue can be found [here](https://security.stackexchange.com/a/94020/163495). –  Feb 13 '20 at 11:08
  • 2
    find all hackerone issue reports related to better understand with real world case: https://www.google.com/search?client=firefox-b-d&q=hackerone+eval%28%29 – Jay seen Feb 13 '20 at 12:23

1 Answers1

-1

meh. eval might be scary or downright dangerous in the hands of the naive, but script tags are actually worse from a capability perspective, yet needed. Hybrid apps need scripts to run and can't do anything without them. Just like in a normal webapp, content will be fetched from a server, and some of that content needs to execute to drive the app.

The developers could put most/all of the JS into the client app instead of loading it from the server, but that gets stale quickly, or gets annoying by posing constant updates, while changing a server response is instant and invisible to the user. If the app uses a modular system and has a formal communication mechanism in place, it probably makes sense to deliver code using the same "pipeline to home" as the data. This offers the opportunity to sign, validate, restrict, isolate, and reject tampered code.

In terms of security issues, consider that all apps are a security issue. The app itself can do a LOT more than sandboxed JS running in a webview can. There's also ways to restrict capabilities when evaluating manually-fetched code, aside from code inspection, by running in a different context, like those in node.js, webworkers, empty frames, official (ES20xx) modules, etc.

While I obviously don't know the detail of the app's code-handling, I wouldn't assume that the fetched code runs top-level (indirect eval) with access to "everything". Nor would I assume that user-created-content is accidentally shipped inside these response fields. Nor would I assume that the OS's web-view sandbox is being broken out of, or that the OS's app isolation measures are failing. Nor would I assume the app even has enough permissions to stitch all the requisite mistakes together in a way that permits anything more sinister than a run of the mill money-making app that doesn't use hybrid views. The "worst that can happen" (omitting zero-days) is whatever the apps permissions allow, same as always.

In short; your observations reveal how this app works, not that it's doing anything inherently misguided or especially risky.

dandavis
  • 2,658
  • 10
  • 16