WebView loads files from external storage
Description
Loading files from external storage in a WebView can introduce security risks, as it allows web content to access potentially sensitive data stored on the device's external storage. This can lead to unauthorized access to user data, including personal files, credentials, or other sensitive information, by malicious web content.
Examples
Insecure Code
java
$WV.loadUrl("file:///" + Environment.getExternalStorageDirectory().getPath() + "/example.html");Secure Code
java
Uri contentProviderUri = Uri.parse("content://com.example.myapp.provider/files");
webView.loadUrl(contentProviderUri.toString());Remediation
Use a Content Provider or a secure file storage mechanism to access files and provide them to the WebView as content. Configure the WebView to restrict access to external resources and content.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0625 |
| Category | Web |
| Severity | CRITICAL |
| CWE | CWE-749 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | injection, external storage |
| OWASP | A1:2017-Injection, A03:2021-Injection |