Skip to content

Account takeover in Android app via JSB #1510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 25, 2025
Merged

Account takeover in Android app via JSB #1510

merged 1 commit into from
Oct 25, 2025
+106 −0

Conversation

@carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Target surface: Android app embedding a Chromium-based WebView with a JavaScript Bridge (JSB) registered as xbridge via addJavascriptInterface. The app also supports deep links and an in-app IM WebView.

Goal: Steal the user’s authenticated session by exfiltrating the WebView cookie database and, more generally, read arbitrary files from the app sandbox.

Tools and setup:
- Reverse/decompile: <a href="https://github.com/skylot/ja...

🔧 Technical Details

JSB dispatcher abuse: When a bridge exposes a generic dispatcher (e.g., invokeMethod) that deserializes attacker JSON into a BridgeObject, set handlerName to a sensitive module and shape data to hit dangerous native sinks. The callback/Promise mechanism returns results into page JS via evaluateJavascript.

Arbitrary file read via URI → File: If a handler does Uri.parse(req.uri).getPath()new File(...) without an allowlist, passing a file:// URI lets you read app-sandbox files (e.g., WebView cookie DB) and exfiltrate them as Base64 through the JSB callback.

Bypassing WebView privilege gates: Avoid host checks using String.endsWith. Logic like host.endsWith(".trusted.com") || ".trusted.com".endsWith(host) lets unrelated domains pass, loading a JSB-enabled WebView. Apply De Morgan’s law to simplify and spot the flawed OR con...

🤖 Agent Actions

I analyzed the blog and the HackTricks repository and updated the existing Android WebView page with the new, highly technical exploitation techniques from the post.

What I changed

  • Updated: src/mobile-pentesting/android-app-pentesting/webview-attacks.md

    • Added a dedicated subsection under the JavaScript Bridge area explaining:

      • Dispatcher-style JSB abuses (invokeMethod/handlerName) and the typical JSON shape used by bridges.
      • Arbitrary file read via URI → File sinks that return Base64 (bypassing WebView file access settings) with a concise PoC exfiltrating the Chromium WebView cookie database.
      • Hunting and enumeration guidance: grep addJavascriptInterface, enumerate in DevTools by typing the bridge object, and searching for getModuleName()/registration.
      • Privilege gate bypass via flawed host allowlists using String.endsWith and a clear, generalizable pseudocode snippet showing the bug and reasoning (De Morgan’s).
      • javascript:// execution primitive via native loadUrl("javascript:...") in privileged WebViews and how to leverage it to call the JSB dispatcher.
      • Mitigations specific to these patterns: strict origin allowlists, per-call JSB authorization, removing filesystem-capable handlers or forcing content:// with allowlists, avoiding loadUrl("javascript:") in privileged contexts, and noting that setAllowFileAccess(false) doesn’t stop native File reads in JSB.
      • Debugging tips to force-enable WebView debugging and enumerate handlers via Chrome DevTools, with references to LSPosed and a Frida script.

    • Expanded References:

      • Added the blog URL (tuxplorer.com) and supporting references for LSPosed and the Frida script to enable WebView debugging.

Why this location

  • The blog content is squarely about Android WebView addJavascriptInterface exploitation and privilege gating mistakes. The most appropriate place is the existing WebView attacks page rather than creating a new file. I focused the update on the JavaScript Bridge exploitation and added the flawed host allowlist and javascript:// execution primitive to fit the page’s structure and style.

References added

  • Account takeover in Android app via JSB – tuxplorer.com
  • LSPosed
  • Frida codeshare: Cordova – enable WebView debugging

No other files were modified or created.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://tuxplorer.com/posts/account-takeover-via-jsb/

Content Categories: Based on the analysis, this content was categorized under "Mobile Security -> Android Pentesting -> WebView / addJavascriptInterface (JavaScript Bridge) exploitation".

Repository Maintenance:

  • MD Files Formatting: 901 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop
Copy link
Collaborator Author

merge

@carlospolop carlospolop merged commit 61f01db into master Oct 25, 2025
@carlospolop carlospolop deleted the update_Account_takeover_in_Android_app_via_JSB_20251021_124152 branch October 25, 2025 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop