The usage of WebViews in Android apps is a widely-used approach because of its OS independent development of apps. If an app is developed in form of a web-GUI, it can be easily integrated in any OS-specific app, such as Android, iOS or Blackberry. For instance, Chin et al.  analyzed 864 different Android apps in their research, where 608 (70%) of those contained WebViews. This shows that the integration of WebViews is common in Android apps.
Last week, Trustlook published a blog post about a WebView vulnerability in Android that allows an attacker to execute arbitrary code in an application (e.g., install new application on the device) just via a drive-by attack. In this post we want to describe the attack in detail and explain Google’s mitigation against it.
The general idea of this attack is described with the following picture:
- A benign application creates a WebView for displaying web pages.
public String returnHelloWorld()
All other methods are not able to be access. This is also the reason why our example is no longer working, since the getClass() method is not annotated.
Stephan Huber and Siegfried Rasthofer
 Chin, Erika, and David Wagner. “Bifocals: Analyzing WebView Vulnerabilities in Android apps.”
Cross-posted from SEEBlog