iOS WebViews
WebViews types
WebViews are in-app browser components for displaying interactive web content. They can be used to embed web content directly into an app's user interface. iOS WebViews support JavaScript execution by default, so script injection and Cross-Site Scripting attacks can affect them.
****UIWebView: UIWebView is deprecated starting on iOS 12 and should not be used. It shouldn't be used. JavaScript cannot be disabled.
****WKWebView: This is the appropriate choice for extending app functionality, controlling displayed content.
JavaScript is enabled by default but thanks to the
javaScriptEnabled
property ofWKWebView
, it can be completely disabled, preventing all script injection flaws.The
JavaScriptCanOpenWindowsAutomatically
can be used to prevent JavaScript from opening new windows, such as pop-ups.The
hasOnlySecureContent
property can be used to verify resources loaded by the WebView are retrieved through encrypted connections.WKWebView
implements out-of-process rendering, so memory corruption bugs won't affect the main app process.
****SFSafariViewController: It **should be used to provide a generalized web viewing experience**. These WebViews can be easily spotted as they have a characteristic layout which includes the following elements:
A read-only address field with a security indicator.
An Action ("Share") button.
A Done button, back and forward navigation buttons, and a "Safari" button to open the page directly in Safari.
JavaScript cannot be disabled in
SFSafariViewController
and this is one of the reasons why the usage ofWKWebView
is recommended when the goal is extending the app's user interface.SFSafariViewController
also shares cookies and other website data with Safari.The user's activity and interaction with a
SFSafariViewController
are not visible to the app, which cannot access AutoFill data, browsing history, or website data.According to the App Store Review Guidelines,
SFSafariViewController
s may not be hidden or obscured by other views or layers.
Discovering WebViews Configuration
Static Analysis
UIWebView
WKWebView
Alternatively you can also search for known methods of these WebView classes. For example, search for the method used to initialize a WKWebView (init(frame:configuration:)
):
Testing JavaScript Configuration
For WKWebView
s, as a best practice, JavaScript should be disabled unless it is explicitly required. To verify that JavaScript was properly disabled search the project for usages of WKPreferences
and ensure that the javaScriptEnabled
property is set to false
:
If only having the compiled binary you can search for this in it:
Testing OnlySecureContent
In contrast to UIWebView
s, when using WKWebView
s it is possible to detect mixed content (HTTP content loaded from a HTTPS page). By using the method hasOnlySecureContent
it can be verified whether all resources on the page have been loaded through securely encrypted connections.
In the compiled binary:
You can also search in the source code or strings the string "http://". However, this doesn't necessary means that there is a mixed content issue. Learn more about mixed content in the MDN Web Docs.
Dynamic Analysis
It's possible to inspect the heap via ObjC.choose()
to find instances of the different types of WebViews and also search for the properties javaScriptEnabled
and hasonlysecurecontent
:
Load it with:
WebView Protocol Handling
Several default schemes are available that are being interpreted in a WebView on iOS, for example:
http(s)://
file://
tel://
WebViews can load remote content from an endpoint, but they can also load local content from the app data directory. If the local content is loaded, the user shouldn't be able to influence the filename or the path used to load the file, and users shouldn't be able to edit the loaded file.
WebView content load
UIWebView: It can use deprecated methods
loadHTMLString:baseURL:
orloadData:MIMEType:textEncodingName:baseURL:
to load content.WKWebView: It can use the methods
loadHTMLString:baseURL:
orloadData:MIMEType:textEncodingName:baseURL:
to load local HTML files andloadRequest:
for web content. Typically, the local files are loaded in combination with methods including, among others:pathForResource:ofType:
,URLForResource:withExtension:
orinit(contentsOf:encoding:)
. In addition, you should also verify if the app is using the methodloadFileURL:allowingReadAccessToURL:
. Its first parameter isURL
and contains the URL to be loaded in the WebView, its second parameterallowingReadAccessToURL
may contain a single file or a directory. If containing a single file, that file will be available to the WebView. However, if it contains a directory, all files on that directory will be made available to the WebView. Therefore, it is worth inspecting this and in case it is a directory, verifying that no sensitive data can be found inside it.
If you have the source code you can search for those methods. Having the compiled binary you can also search for these methods:
File Access
UIWebView:
The
file://
scheme is always enabled.File access from
file://
URLs is always enabled.Universal access from
file://
URLs is always enabled.If you retrieve the effective origin from a
UIWebView
wherebaseURL
is also set tonil
you will see that it is not set to "null", instead you'll obtain something similar to the following:applewebdata://5361016c-f4a0-4305-816b-65411fc1d78
0. This origin "applewebdata://" is similar to the "file://" origin as it does not implement Same-Origin Policy and allow access to local files and any web resources.
WKWebView:
allowFileAccessFromFileURLs
(WKPreferences
,false
by default): it enables JavaScript running in the context of afile://
scheme URL to access content from otherfile://
scheme URLs.allowUniversalAccessFromFileURLs
(WKWebViewConfiguration
,false
by default): it enables JavaScript running in the context of afile://
scheme URL to access content from any origin.
You can search for those functions in the source code of the application or in the compiled binary. Also, you can use the following frida script to find this information:
Native Methods Exposed Through WebViews
Since iOS 7, Apple introduced APIs that allow communication between the JavaScript runtime in the WebView and the native Swift or Objective-C objects.
There are two fundamental ways of how native code and JavaScript can communicate:
JSContext: When an Objective-C or Swift block is assigned to an identifier in a
JSContext
, JavaScriptCore automatically wraps the block in a JavaScript function.JSExport protocol: Properties, instance methods and class methods declared in a
JSExport
-inherited protocol are mapped to JavaScript objects that are available to all JavaScript code. Modifications of objects that are in the JavaScript environment are reflected in the native environment.
Note that only class members defined in the JSExport
protocol are made accessible to JavaScript code.
Look out for code that maps native objects to the JSContext
associated with a WebView and analyze what functionality it exposes, for example no sensitive data should be accessible and exposed to WebViews.
In Objective-C, the JSContext
associated with a UIWebView
is obtained as follows:
JavaScript code in a WKWebView
can still send messages back to the native app but in contrast to UIWebView
, it is not possible to directly reference the JSContext
of a WKWebView
. Instead, communication is implemented using a messaging system and using the postMessage
function, which automatically serializes JavaScript objects into native Objective-C or Swift objects. Message handlers are configured using the method add(_ scriptMessageHandler:name:)
.
Enabling JavascriptBridge
Sending Message
Adding a script message handler with name "name"
(or "javaScriptBridge"
in the example above) causes the JavaScript function window.webkit.messageHandlers.myJavaScriptMessageHandler.postMessage
to be defined in all frames in all web views that use the user content controller. It can be then used from the HTML file like this:
Called Function
The called function resides in JavaScriptBridgeMessageHandler.swift
:
Testing
In order to test send a postMessage inside an application you can:
Change the servers response (MitM)
Perform a dynamic instrumentation and inject the JavaScript payload by using frameworks like Frida and the corresponding JavaScript evaluation functions available for the iOS WebViews (
stringByEvaluatingJavaScriptFromString:
forUIWebView
andevaluateJavaScript:completionHandler:
forWKWebView
).
References
Last updated