Fixing a File-based XSS Vulnerability

This information is intended for developers with app(s) that are vulnerable to File-based Cross-Site Scripting.

What’s happening

One or more of your apps contain a File-based Cross-Site Scripting vulnerability that must be fixed. Vulnerable locations in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code. 

After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.

Action required​

  1. Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
  2. Update your affected apps and fix the vulnerability.
  3. Submit the updated versions of your affected apps.

Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.

Additional details

WebViews with WebSettings that set either setAllowFileAccessFromFileURLs or setAllowUniversalAccessFromFileURLs to true must not load any untrusted web content. This includes content from trusted domains that is loaded over HTTP. Malicious web content or networks can inject scripts to redirect the WebView to a malicious local file and launch a Cross-Site Scripting attack to access private local files or cookies.

You should prevent this vulnerability in one of the following ways:

  1. Ensure that WebViews do not have dangerous settings
  2. Ensure that WebViews cannot load local files or execute JavaScript
  3. Ensure that WebViews with dangerous settings do not load untrusted web content

1. Ensuring that WebViews do not have dangerous settings

Update your android:targetSdkVersion in your Manifest to be at least 16 to use safe default settings for WebView. Otherwise, call setAllowFileAccessFromFileURLs(false) and setAllowUniversalAccessFromFileURLs(false) to ensure that their WebViews are safe.

2. Ensuring that WebViews cannot load local files or execute JavaScript

Call setAllowFileAccess(false) to prevent WebViews with dangerous settings from loading local files or call setJavaScriptEnabled(false) to prevent WebViews with dangerous settings from executing JavaScript code.

3. Ensuring that WebViews with dangerous settings do not load untrusted web content

If a WebView needs to enable these dangerous settings, you must ensure that it does not load untrusted web content. This includes web content loaded over HTTP. You can set android:usesCleartextTraffic=false or set a Network Security Config that disallows HTTP traffic in your Manifest. Alternatively, you can ensure that any WebViews with dangerous settings do not load any URLs with HTTP schemes.

You should also ensure that WebViews with dangerous settings do not load URLs obtained from untrusted sources.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Was this helpful?

How can we improve it?
false
Main menu
1986251655906763765
true
Search Help Center
true
true
true
true
true
5016068
false
false