Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google PlayStore Warning #6

Open
WilliamBrain opened this issue Apr 14, 2019 · 3 comments
Open

Google PlayStore Warning #6

WilliamBrain opened this issue Apr 14, 2019 · 3 comments

Comments

@WilliamBrain
Copy link

When I published my app to the PlayStore it gives me a security warning in the Android Developer Console.

The warning is like this: The app contains a WebView which is vunerable to injecting code through the java script interface. Suspicious area: com.wuadam.awesomewebview.helpers.VideoJsHelper->addJavascriptInterface

And it says that the problem should be solved before 07/07/2019.
I don't know what happens then ... maybe the app will be removed from the store?

In my code I never call this method.
The call is here: awesomewebview/helpers/VideoJsHelper.java line 56-66.
Wanted to let you know, maybe this helper class can be changed or improved for a future version.
@hzw1199
Copy link
Owner

hzw1199 commented May 18, 2019

@WilliamBrain Thank you for reminding me and apology for delay of reply.

I found official remediation by Google:
https://support.google.com/faqs/answer/9095419?hl=en-GB

and also some posts on Stackoverflow that may help:
https://stackoverflow.com/questions/53679624/remediation-for-javascript-interface-injection-vulnerability
https://stackoverflow.com/questions/53705818/how-to-address-remediation-for-javascript-interface-injection-vulnerability

Conclusion is that if possible, better use HTTPS on your app. If you use HTTP, JavaScriptInterface won't be allowed by Google Play.
VideoJsHelper is a helper class to make video full screen. It contains JavaScriptInterface.
If it is possible for your APP to only use HTTPS without HTTP, you can set android:usesCleartextTraffic to false in your Manifest to dismiss warning from Google Play.

@ghost
Copy link

ghost commented Jul 25, 2019
edited by ghost
Loading

@hzw1199 Your answer doesn't seems to relate the question, the major issue is the possibility of a malicious app inject javascript code through a interface(method) exposed by the WebView instance.

AwesomeWebView-Android/sample/src/main/java/com/wuadam/awesomewebview/sample/MainActivity.java

Line 54 in bb75bd6

.injectJavaScript("javascript: alert(\"This is js inject\")")

@hzw1199
Copy link
Owner

hzw1199 commented Sep 24, 2019

@gustavocagninzup This library inject javascript to make video fullscreen, just like what Google Play indicates: The app contains a WebView which is vunerable to injecting code through the java script interface. Suspicious area: com.wuadam.awesomewebview.helpers.VideoJsHelper->addJavascriptInterface.

.injectJavaScript("javascript: alert(\"This is js inject\")") is an interface of this library, it also injects javascript.

It's strange that all my apps use this library but I never have such warning from Google. Maybe I can improve this library. BTW thank you for your message @WilliamBrain @gustavocagninzup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hzw1199 @WilliamBrain