|
|
|
|
|
|
by dmayer
4460 days ago
|
|
|
There is a CVE (CVE-2012-6636) [1,2] related to the general issue they are mentioning. Basically one could use reflection to call any public function on any class in the app. Since Android 4.2 one now needs to add the @JavascriptInterface decorator to explicitly expose methods. At least this is my current understanding of this. If the app then uses HTTP or HTTPS without certificate validation, it is easily possible to inject JavaScrpipt code even when no Cross-Site Scripting vulnerability exists in the app. [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-66... [2] https://labs.mwrinfosecurity.com/advisories/2013/09/24/webvi... |
|
|