PTKDMobile App Security
Knowledge base / PTKD-WEBVIEW-JSI
medium M4 MASVS-PLATFORM-2 static analysis PTKD-WEBVIEW-JSI

WebView JavaScript bridge exposed

addJavascriptInterface exposes native methods to web content; on older WebViews it enables remote code execution.

How it's exploited

addJavascriptInterface exposes native methods to page JavaScript. If the WebView ever renders attacker-influenced content (http page, MITM, open redirect, ad), that script calls your bridge directly; pre-API-21 it was full RCE.

Why it matters

Web content escalates into native capability: file access, token theft, or arbitrary actions your bridge allows.

How to fix it

  1. Only attach the bridge to WebViews that load exclusively your own HTTPS origins; verify with shouldOverrideUrlLoading.
  2. Annotate the minimal method set with @JavascriptInterface and treat every argument as hostile input.
  3. Prefer WebMessageListener/postMessage channels with origin allowlists on modern AndroidX WebKit.

References