Account takeover in Android app via JSB

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://tuxplorer.com/posts/account-takeover-via-jsb/
• Blog Title: Account takeover in Android app via JSB
• Suggested Section: Mobile Security -> Android Pentesting -> WebView / addJavascriptInterface (JavaScript Bridge) exploitation

🎯 Content Summary

Target surface: Android app embedding a Chromium-based WebView with a JavaScript Bridge (JSB) registered as xbridge via addJavascriptInterface. The app also supports deep links and an in-app IM WebView.

Goal: Steal the user’s authenticated session by exfiltrating the WebView cookie database and, more generally, read arbitrary files from the app sandbox.

Tools and setup:
- Reverse/decompile: <a href="https://github.com/skylot/ja...

🔧 Technical Details

JSB dispatcher abuse: When a bridge exposes a generic dispatcher (e.g., invokeMethod) that deserializes attacker JSON into a BridgeObject, set handlerName to a sensitive module and shape data to hit dangerous native sinks. The callback/Promise mechanism returns results into page JS via evaluateJavascript.

Arbitrary file read via URI → File: If a handler does Uri.parse(req.uri).getPath() → new File(...) without an allowlist, passing a file:// URI lets you read app-sandbox files (e.g., WebView cookie DB) and exfiltrate them as Base64 through the JSB callback.

Bypassing WebView privilege gates: Avoid host checks using String.endsWith. Logic like host.endsWith(".trusted.com") || ".trusted.com".endsWith(host) lets unrelated domains pass, loading a JSB-enabled WebView. Apply De Morgan’s law to simplify and spot the flawed OR con...

🤖 Agent Actions

I analyzed the blog and the HackTricks repository and updated the existing Android WebView page with the new, highly technical exploitation techniques from the post.

What I changed

• Updated: src/mobile-pentesting/android-app-pentesting/webview-attacks.md

  • Added a dedicated subsection under the JavaScript Bridge area explaining:

    • Dispatcher-style JSB abuses (invokeMethod/handlerName) and the typical JSON shape used by bridges.
    • Arbitrary file read via URI → File sinks that return Base64 (bypassing WebView file access settings) with a concise PoC exfiltrating the Chromium WebView cookie database.
    • Hunting and enumeration guidance: grep addJavascriptInterface, enumerate in DevTools by typing the bridge object, and searching for getModuleName()/registration.
    • Privilege gate bypass via flawed host allowlists using String.endsWith and a clear, generalizable pseudocode snippet showing the bug and reasoning (De Morgan’s).
    • javascript:// execution primitive via native loadUrl("javascript:...") in privileged WebViews and how to leverage it to call the JSB dispatcher.
    • Mitigations specific to these patterns: strict origin allowlists, per-call JSB authorization, removing filesystem-capable handlers or forcing content:// with allowlists, avoiding loadUrl("javascript:") in privileged contexts, and noting that setAllowFileAccess(false) doesn’t stop native File reads in JSB.
    • Debugging tips to force-enable WebView debugging and enumerate handlers via Chrome DevTools, with references to LSPosed and a Frida script.

  • Expanded References:

    • Added the blog URL (tuxplorer.com) and supporting references for LSPosed and the Frida script to enable WebView debugging.

Why this location

• The blog content is squarely about Android WebView addJavascriptInterface exploitation and privilege gating mistakes. The most appropriate place is the existing WebView attacks page rather than creating a new file. I focused the update on the JavaScript Bridge exploitation and added the flawed host allowlist and javascript:// execution primitive to fit the page’s structure and style.

References added

• Account takeover in Android app via JSB – tuxplorer.com
• LSPosed
• Frida codeshare: Cordova – enable WebView debugging

No other files were modified or created.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://tuxplorer.com/posts/account-takeover-via-jsb/

Content Categories: Based on the analysis, this content was categorized under "Mobile Security -> Android Pentesting -> WebView / addJavascriptInterface (JavaScript Bridge) exploitation".

Repository Maintenance:

• MD Files Formatting: 901 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge