Remediation for Sensitive JavaScript Interface Vulnerability

This information is intended for developers with an app that contains the Sensitive JavaScript Interface Vulnerability.

What’s happening

Please refer to the notice in Play Console

After the deadlines shown in Play Console, any apps that contain unfixed security vulnerabilities may be removed from Google Play.

Action required​

  1. Open the Google Play email notification sent to the account owner’s email address to see  which apps are affected and the deadlines to resolve these issues.
  2. Update your affected apps and fix the vulnerability.
  3. Submit the updated versions of your affected apps.

Upon resubmission, your app will be reviewed again. This process can take several hours. If the app passes review and is published successfully, then no further action is required. If the app fails review, then the new app version will not be published and you will receive an email notification.

Additional details

According to the Device and Network Abuse Policy, "Apps or third-party code (for example, SDKs) with JavaScript loaded at run time must not allow potential violations of Play Developer Policies." 

In this article, we refer to any object that exposes functionality to a WebView through the addJavascriptInterface method of a WebView as a Javascript interface as described in Google Developers Blog, Building web apps in WebView.

This vulnerability class allows for potential User Data and Malware violations to occur through JavaScript interfaces. Depending on the exposed interfaces, this can lead to unanticipated data collection and exfiltration along with potentially harmful applications without the app or SDK developer’s knowledge.

We recommend that you prevent this vulnerability in one of the following ways:

Option 1: Ensure that WebViews do not add Objects to the JavaScript interface

Ensure that there are no objects added to the JavaScript interface of any WebView that loads untrusted web content. You can do this in two ways:

  1. Ensure that no objects are ever added to the JavaScript interface via calls to addJavascriptInterface.
  2. Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView.

Option 2: Ensure that sensitive functionality is not exposed through a JavaScript interface

Ensure that any sensitive functionality (such as Android API calls that require permissions) is not added to JavaScript interfaces. This includes not gathering sensitive data such as information about the user/device or exposing APIs such as accessibility or SMS messaging. There are multiple ways to resolve your vulnerability this way:

  1. Reimplement any functionality that requires sensitive permissions or gathers sensitive information so that it is called from code packaged within the application. Ensure that prominent disclosure is provided to users.
  2. Remove any functions that provide access to sensitive functionality or user data that is accessible from the interface.

Option 3: Ensure that your WebView is not exposing sensitive functionality to untrusted content

If your WebView contains sensitive functionality, it may not load arbitrary JavaScript from unknown sources and must provide prominent disclosure of the data or functionality being used. Ensure that only strictly scoped URLs and content owned by the app developer is loaded into the WebView.

In the case that the vulnerability is not remediated, the app will be enforced for potential Play policy violations.

We're here to help

If you’ve reviewed the policy and feel our decision may have been in error, please reach out to our policy support team. We’ll get back to you within 2 business days.

Thanks for your continued support in helping to make Google Play a positive experience for both developers and consumers.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
7281646028892876158