A WebView is a simple mobile app element that allows web pages to be rendered within an app. Hybrid and native apps are applicable, which provides browser functionality within the app. It started with Webkit (www.webkit.org) and later, post Android 4.4 KitKat, moved on to Chromium (www.chromium.org).
The CVE-2012-6636 vulnerability, in which attackers are able to inject malicious JavaScript into the app and take control of the device, has created sleepless nights for developers.
The difference between WebView and a web browser is that WebView runs within the context of a mobile app that is embedded. All the attacks on browsers are applicable to WebView.
Let's now create a scenario of an attacker's hosted website sending a malicious link inside WebView to the user of an app, similar to the cross-site scripting attack, and the attacker is able to inject the code into the WebView and execute the JavaScript code on the device level.
We have used Metasploit (http://www.metasploit...