지인이 사업을 하는데, 안드로이드앱(웹앱)에 다음과 같은 문제가 생겼습니다.

WebView 관련 보안이슈인거 같은데, 

겨우겨우 안드로이드 스튜디오 2.3.3에 소스 올려서 구경만하는 수준의 제가 해결할 수 없는 문제라 도움을 구해봅니다.

아래 메시지만 가지고 도움을 주실 수 있는 분이 계실지..

혹은 알바수준으로 아래 문제를 해결해서 앱 업데이트를 해주실 분이 있으실지... (비용은 지인과 협의해봐야하구요)

아무튼 쌩판 모르는 거라 다양한 의견을 듣고, 지인에게 바람직한 해결책을 제시해주고 싶습니다.

감사합니다.

Hello Google Play Developer,

We have determined that one or more of your apps contain a WebView Cross-App scripting issue which can allow malicious apps to steal user cookies and other data.

Action required

Please follow the steps below to fix the issue with your apps (listed at the end of this email). You can refer to the notice in your Play Console for the deadline to fix this problem. After this deadline, updates to affected apps will be blocked if the vulnerability is still present. Your published APK version will remain unaffected.

Additional details

WebViews that enable Javascript and load data read from untrusted Intents can be tricked by malicious apps into executing Javascript code in an unsafe context. You should prevent this vulnerability in one of the following ways:

Option 1: Ensure that affected activities are not exported

Find any Activities with affected WebViews. If these Activities do not need to take Intents from other apps you can set android:exported=false for the Activities in your Manifest. This ensures that malicious apps cannot send harmful inputs to any WebViews in these Activities.

Option 2: Protect WebViews in exported activities

If you want to set an Activity with an affected WebView as exported then we recommend that you make the following changes:

• Update your targetSdkVersion
  
  Ensure that your targetSdkVersion meets Google Play's target API level requirement. Apps with a targetSdkVersion of 16 or lower evaluate Javascript URLs passed to loadUrl in the currently loaded page context. Targeting SDK version 16 or lower and calling loadUrl using unsanitized input from untrusted Intents lets attackers execute harmful scripts in the affected WebView.
  
  
• Protect calls to evaluateJavascript
  
  Ensure that parameters to evaluateJavascript are always trusted. Calling evaluateJavascript using unsanitized input from untrusted Intents lets attackers execute harmful scripts in the affected WebView.
  
  
• Prevent unsafe file loads
  
  Ensure that affected WebViews cannot load the cookie database. WebViews that load unsanitized file:// URLs from untrusted Intents can be attacked by malicious apps in the following way. A malicious web page can write script tags into the cookies database and then a malicious app can send an Intent with a file:// URL pointing to your WebView cookies database. The malicious script will execute if the cookies database is loaded in a WebView and can steal session information.
  
  You can ensure that affected WebViews cannot load the WebView cookies database in two ways. You can either disable all file access or you can verify that any loaded file:// URLs point to safe files. Note that an attacker can use a symbolic link to trick checks on the URL path. To prevent such an attack, be sure to check the canonical path of any untrusted file:// URL before loading instead of just checking the URL path.

Next steps

1. Update your app using the steps highlighted above.
2. Sign in to your Play Console and submit the updated version of your app.

Your app will be reviewed again; if the app has not been updated correctly, you will still see the warning. This process can take several hours.

We're here to help

If you have technical questions about the vulnerability, you can post to Stack Overflowand use the tag "android-security." For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Affected apps

Affected apps and versions are listed below, up to 20. You can sign in to your Play Console to view a full list of all affected apps and to find the relevant classes in your apps that contain the vulnerability.

com.smartcamping   89