A technical blog on Computer Science and Software Development topics by Tomás Pérez.

Android and JS through addJavascriptInterface

In the Android world, the object WebView provides a way to display embedded webpages in your mobile application, without needing to launch the external browser.
It uses internally the WebKit rendering engine and provides several useful methods that you can use to control the interaction. Including a method to expose a Java object inside the Javacript context of the web app that is loaded in the WebView.

The only security restriction that you need to request is Internet permissions, included in your Android Manifest file. That's not specially a risky permission from the user's perspective, at least until we see what we can do with a WebView and Javascript.

That was easy. Now just inject a Javascript object that implements the methods of a Java object in a webpage:

That's cool, isn't?. What else could we do? Seems that we can override already existing objects, like in the following example:

Interesting, isn't?

In my opinion, for android apps, the method addJavascriptInterface shouldn't be available just with the internet permission. Seems pretty easy to override an existing Javascript object, and that could be used in a malicious way, that would be quite difficult to detect.