{
	"id": "ff70f223-5a33-462f-b8a9-f18e3adc206b",
	"created_at": "2026-04-29T02:21:01.60871Z",
	"updated_at": "2026-04-29T08:22:02.160857Z",
	"deleted_at": null,
	"sha1_hash": "a4d58f2db1896dad878239327d3473eeb90a662e",
	"title": "Webviews – Unsafe URI Loading",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54199,
	"plain_text": "Webviews – Unsafe URI Loading\r\nArchived: 2026-04-29 02:13:15 UTC\r\nWebviews – Unsafe URI Loading Stay organized with collections Save and\r\ncategorize content based on your preferences.\r\nOn this page\r\nOverview\r\nImpact\r\nMitigations\r\nResources\r\nOWASP category: MASVS-CODE: Code Quality\r\nOverview\r\nAn unsafe URI Loading occurs when an Android application fails to correctly evaluate the validity of a URI\r\nbefore loading it into a WebView.\r\nThe underlying reason behind this type of vulnerability is that a URI consists of multiple parts, of which, at a\r\nminimum, the scheme and the host (of the authority part) must be verified (e.g. allowlisted) before the URI gets\r\nloaded to a WebView or is used internally by the application.\r\nThe most common mistakes include:\r\nChecking the host but not the scheme, allowing an attacker to use schemes like http:// , content:// or\r\njavascript:// with an authenticated host.\r\nFailing to parse the URI correctly, especially in cases where the URI is received as a string.\r\nValidating the scheme but not the host (insufficient host validation).\r\nRegarding the last case, this usually occurs when the application needs to allow arbitrary subdomains of a primary\r\ndomain. So, even if the hostname has been extracted correctly, the app uses methods such as startsWith ,\r\nendsWith, or contains of the java.lang.String class to validate the presence of a primary domain in the\r\nextracted string section. Used incorrectly, these methods may lead to faulty results and force the application to\r\nimproperly trust a potentially malicious host.\r\nImpact\r\nDepending on the context in which the host is used, the impact can vary. In cases where loading a malicious URI\r\n(i.e., one that bypassed filtering/allowlist) in a WebView could potentially lead to account takeover (e.g. using\r\nhttps://developer.android.com/privacy-and-security/risks/unsafe-uri-loading\r\nPage 1 of 3\n\nphishing), code execution (e.g., loading malicious JavaScript), or device compromise (exploit code delivered\r\nusing hyperlink).\r\nMitigations\r\nWhen handling string URIs, it is important to parse the string as a URI and validate both the scheme and the host:\r\nfun isUriTrusted(incomingUri: String, trustedHostName: String): Boolean {\r\n try {\r\n val uri = Uri.parse(incomingUri)\r\n return uri.scheme == \"https\" \u0026\u0026 uri.host == trustedHostName\r\n } catch (e: NullPointerException) {\r\n throw NullPointerException(\"incomingUri is null or not well-formed\")\r\n }\r\n}\r\npublic static boolean isUriTrusted(String incomingUri, String trustedHostName)\r\n throws NullPointerException {\r\n try {\r\n Uri uri = Uri.parse(incomingUri);\r\n return uri.getScheme().equals(\"https\") \u0026\u0026\r\n uri.getHost().equals(trustedHostName);\r\n } catch (NullPointerException e) {\r\n throw new NullPointerException(\r\n \"incomingUri is null or not well-formed\");\r\n }\r\n }\r\nFor host validation, after isolating the corresponding URI part, it is important to validate it entirely (rather than\r\npartially) to accurately identify whether the host is trusted or not. When using methods like startsWith or\r\nendsWith can't be avoided, it is important to use the correct syntax and not overlook necessary characters or\r\nsymbols (for example, endsWith requires the \" . \" dot character before the domain name for an accurate match).\r\nNeglecting these characters may lead to inaccurate matches and compromise security. Since subdomains can be\r\ninfinitely nested, regular expression matching is not a recommended strategy for validating hostnames.\r\nContributors: Dimitrios Valsamaras and Michael Peck of Microsoft Threat Intelligence\r\nResources\r\ngetHost() documentation\r\ngetScheme() documentation\r\nhttps://developer.android.com/privacy-and-security/risks/unsafe-uri-loading\r\nPage 2 of 3\n\nContent and code samples on this page are subject to the licenses described in the Content License. Java and\r\nOpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.\r\nLast updated 2024-09-24 UTC.\r\nSource: https://developer.android.com/privacy-and-security/risks/unsafe-uri-loading\r\nhttps://developer.android.com/privacy-and-security/risks/unsafe-uri-loading\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://developer.android.com/privacy-and-security/risks/unsafe-uri-loading"
	],
	"report_names": [
		"unsafe-uri-loading"
	],
	"threat_actors": [],
	"ts_created_at": 1777429261,
	"ts_updated_at": 1777450922,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a4d58f2db1896dad878239327d3473eeb90a662e.pdf",
		"text": "https://archive.orkl.eu/a4d58f2db1896dad878239327d3473eeb90a662e.txt",
		"img": "https://archive.orkl.eu/a4d58f2db1896dad878239327d3473eeb90a662e.jpg"
	}
}