Skip to content

Security Issue: WebView Allows Access to Local Files in NavigateTolinkActivity #39

Description

@prakash-robosoft

Description:

During our regular Android app security scanning, the NowSecure tool has reported a security vulnerability in the Apptentive Android SDK. The issue relates to a WebView configuration that allows access to local files, which could potentially be exploited by attackers to execute malicious code or access sensitive local resources.

Steps to Reproduce:
NowSecure’s static analysis detected that a WebView in NavigateTolinkActivity.kt has file access enabled. The detection considers the app’s minSdkVersion, which affects the default WebView behavior as follows:

setAllowFileAccess is true by default when minSdkVersion <= 29
setAllowFileAccessFromFileURLs is true by default when minSdkVersion <= 15
setAllowUniversalAccessFromFileURLs is true by default when minSdkVersion <= 15
The identified WebView meets the following conditions:

  • setAllowFileAccess(true) is explicitly enabled.
  • JavaScript is enabled using setJavaScriptEnabled(true).

Evidence

{
  "local_resource_access_method": "setAllowFileAccess",
  "default_used": "Yes",
  "value": true,
  "source_file": "apptentive/com/android/feedback/link/view/NavigateTolinkActivity.kt",
  "package_name": "apptentive.com.android.feedback.link.view",
  "class_name": "NavigateTolinkActivity",
  "method": "onCreate",
  "kind": "fail",
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions