This information is intended for developers with app(s) that contain the JavaScript Interface Injection Vulnerability.
What’s happening
Vulnerable locations in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code.
After the deadlines shown in your Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.
Action required
- Sign in to your Play Console, and navigate to the Alerts section to see which apps are affected and the deadlines to resolve these issues.
- Update your affected apps and fix the vulnerability.
- Submit the updated versions of your affected apps.
Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.
Additional details
WebViews that expose app-level objects to JavaScript code via addJavascriptInterface and load untrusted web content are vulnerable to JavaScript Interface Injection. The untrusted content can execute any of the exposed objects’ methods annotated with @JavascriptInterface, leading to data leakage, data corruption, or even arbitrary code execution.
We recommend that you prevent this vulnerability in one of the following ways:
Option 1: Ensure that WebViews do not add Objects to the JavaScript interface
Ensure that there are no objects added to the JavaScript interface of any WebView that loads untrusted web content. You can do this in two ways:
- Ensure that no objects are ever added to the JavaScript interface via calls to addJavascriptInterface.
-
Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView.
Option 2: Ensure that WebViews do not load untrusted web content
If your app needs to expose objects to the JavaScript interface of a WebView, ensure that that WebView does not load web content over an unencrypted connection. You can set android:usesCleartextTraffic to false in your Manifest or set a Network Security Config that disallows HTTP traffic. Alternatively, you can ensure that any affected WebViews do not load any URLs with HTTP schemes via loadUrl.
Ensure that WebViews with JavaScript interfaces do not load unchecked URLs obtained from untrusted sources (e.g., URLs obtained from untrusted Intents).
We're here to help
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team.