[ https://issues.apache.org/jira/browse/CB-12202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
jcesarmobile closed CB-12202. ----------------------------- Resolution: Duplicate Assignee: jcesarmobile It's a duplicate of CB-11719 > Security: Exposed Dangerous Method or Function > ---------------------------------------------- > > Key: CB-12202 > URL: https://issues.apache.org/jira/browse/CB-12202 > Project: Apache Cordova > Issue Type: Bug > Components: Android > Reporter: Daulet Urazalinov > Assignee: jcesarmobile > Labels: security > > We use VeraCode to analyze level of security of our applications. When we > submit our application that uses the latest Cordova version, we get "Exposed > Dangerous Method or Function" > (http://cwe.mitre.org/data/definitions/749.html) in this file: > org/apache/cordova/engine/SystemWebViewEngine.java line 262. > We would like to know your opinion about this issue and suggested remediation. > Here is the detailed information we got from VeraCode: > Attack Vector: android.webkit.WebView.addJavascriptInterface > Description: Use of the android.webkit.WebView.addJavascriptInterface() > method before Android SDK revision 17 (Android 4.2) is dangerous, as this > allows remote attackers to execute arbitrary methods of Java objects (using > the inherited .getClass()) within JavaScript code that is loaded into the > WebView. > Remediation: The ideal solution is to remove the use of a JavaScript-Java > bridge in this application. Another possible solution is to develop a custom > bridge via the shouldOverrideUrlLoading() method; however, this option can be > risky and consideration must be given to what functionality is exposed and to > the prevention of injection attacks. If removal or development of a custom > solution are not options, then one should at least verify the application is > not loading JavaScript from an untrusted source. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org