Securing Webviews and The Story Behind CVE-2021–21136

PRESENTATION SLIDES (PDF)

Webview: An in-app Web Browser created to ensure seamless user experience without context switching between browser and mobile application. It allows developers to display web content directly into their mobile application and supports the concept of code reuse thus Webviews are extensively used in current mobile application development. This presentation will cover the common Webview related security issues and the techniques to prevent those security issues and make the mobile applications secure and robust. We would be talking about the following common security issues and their prevention:

  • Insecure Deeplink implementation
  • Insufficient URL validation
  • Insufficient Webview hardening
  • Lack of Webview isolation
  • Unintended data leakage via misconfigured Webview

In the later part of the presentation, we will cover the story behind getting the Chromium CVE:2021-21136 (https://bugs.chromium.org/p/chromium/issues/detail?id=1038002). A security issue in Android Webviews leads to leakage of sensitive data such as user’s auth tokens and shared secrets to the third party.

MAIN CONFERENCE
Location: Track 2 Date: August 27, 2021 Time: 3:00 pm - 4:00 pm Imdadullah Mohammed Shiv Sahni