Fixing a Cross App Scripting Vulnerability
This information is intended for developers with app(s) that contain Cross-App Scripting vulnerability.
One or more of your apps contain a WebView Cross-App Scripting issue which can allow malicious apps to steal user cookies and other data.
Please follow the steps below to fix the issue with your apps (listed at the end of this article). You can refer to the notice on your Play Console for the deadline to fix this problem. After this deadline, updates to affected apps will be blocked if the vulnerability is still present. Your published APK version will remain unaffected.
Option 1: Ensure that affected activities are not exported
Find any Activities with affected WebViews. If these Activities do not need to take Intents from other apps you can set android:exported=false for the Activities in your Manifest. This ensures that malicious apps cannot send harmful inputs to any WebViews in these Activities.
Option 2: Protect WebViews in exported activities
- Update your targetSdkVersion
- Prevent unsafe file loads
Ensure that affected WebViews cannot load the cookie database. WebViews that load unsanitized file:// URLs from untrusted Intents can be attacked by malicious apps in the following way. A malicious web page can write <script> tags into the cookies database and then a malicious app can send an Intent with a file:// URL pointing to your WebView cookies database. The malicious script will execute if the cookies database is loaded in a WebView and can steal session information.
You can ensure that affected WebViews cannot load the WebView cookies database in two ways. You can either disable all file access or you can verify that any loaded file:// URLs point to safe files. Note that an attacker can use a symbolic link to trick checks on the URL path. To prevent such an attack, be sure to check the canonical path of any untrusted file:// URL before loading instead of just checking the URL path.
- Update your app using the steps highlighted above.
- Sign in to your Play Console and submit the updated version of your app.
Your app will be reviewed again; if the app has not been updated correctly, you will still see the warning. This process can take several hours.
We’re here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.