Recipe Name:
WebView Best Practices: Check URL to White List
Description:
Consider allowlist validation for URLs passed to this method
Level:
error
Language:
- java
Tags:
- security
- mobile
- framework specific
- Android
Documentation
The Android best practices and secure coding guidelines make recommendations for WebView
and its configuration.
Regardless where the URL originates from, it is 'best practice' to verify that the URL does not target local resources. This can easily be achieved by checking the start of the string for file:
. It is considered best practice to also check the URL to be loaded against a white list. The settings below should also be considered to improve the overall security of the application:
WebView wv = new WebView(context); wv.loadUrl(url);After
WebView wv = new WebView(context); WebSettings = ws = wv.getSettings(); ws.setJavaScriptEnabled(false); ws.setAllowFileAccess(false); ws.setGeolocationEnabled(false); ws.setAllowContentAccess(false); int never = WebSettings.MIXED_CONTENT_NEVER_ALLOW ws.setMixedContentMode(never); if( !url.startsWith("file:")) wv.loadUrl(url);
Additionally avoid using the following settings (Deprecated since API level 30) to prevent malicious scripts from accessing arbitrary local files or launching XSS attacks.
ws.setAllowFileAccessFromFileURLs(true); ws.setAllowUniversalAccessFromFileURLs(true);
Recipe
id: scw:android:webview-url-allowlist version: 10 metadata: name: 'WebView Best Practices: Check URL to White List' shortDescription: Consider allowlist validation for URLs passed to this method level: error language: java cweCategory: 20 enabled: true descriptionFile: descriptions/AndroidWebViewbestpractices.html tags: security;mobile;framework specific;Android search: methodcall: name: loadUrl type: android.webkit.WebView availableFixes: []