Overview
Webview in Android is a system component that runs on chromium engine that allows Android apps to display web view content. There are plenty of apps out there that simply wraps web pages or web content which is stored in app. Most of the cross-platform apps uses Webview to provide easy to use interface for their users.
Now coming to more technical side of the things, being a developer you can debug your Webview with ADB. Android web view has debugging feature flag, that allows you to use the ADB remote debugging extension for chrome to debug the contents of the Webview.
However, If you have disabled debugging, You should not be getting the entry for your device in chrome debug tools right? Well yeah, You are right, until you do a small hack to pass this.
The Exploit
We will use smali modification to exploit the vulnerability.
Smali modification is quite similar in nature if you have been into Pen testing android apps. All you need to do here is to identify the package and extract it from the device.
Run these set of commands with the device attached.
$ adb shell pm list packages
$ adb shell pm path <your package name>
$ adb pull /data/app/<your package name>/base.apk
Where package name is package ID for the app you want to penetrate.
Once you have the APK, decompile it with apktool:
$ apktool d base.apk
Now the hard part, You need to skim through the codebase to identify where you should put the smali code. Ideally that is the activity which starts when the app runs. Have a look at manifest and identify launcher activity.
Once you have that figured out, Just add this smali code:
const/4 v2, 0x1
invoke-static {v2}, Landroid/webkit/WebView;->setWebContentsDebuggingEnabled(Z)V
The first line sets the boolean variable to true and the second line is where we call the static method
setWebContentsDebuggingEnabled() from web view class and pass true.
Recompile the APK with apktool:
$ apktool b ./base
Sign and install the app.
That’s pretty much it. Open Google Chrome and go to this page chrome://inspect/devices and you can see the package name with inspect option. Click on inspect, and you can see all the resources loaded into web app including any JavaScript files.
Conclusion
This would not sound much like a solid vulnerability, but if resources loaded to the Webview is not properly sanitized or includes any secrets left out by lazy developers, You can further exploit that area. This hack does directly aim to the Android system, but it is more of a reconnaissance activity to gather as much information as you can get from the victim.
Thanks for reading!