{
	"id": "91d7c0fb-396e-4900-a011-0c0335ba1a03",
	"created_at": "2026-04-06T01:30:40.005471Z",
	"updated_at": "2026-04-10T13:11:36.663048Z",
	"deleted_at": null,
	"sha1_hash": "b613721bc43d885414c6f39b2e2f2a8f5d8d1f7c",
	"title": "APP-8 · Mobile Threat Catalogue",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51393,
	"plain_text": "APP-8 · Mobile Threat Catalogue\r\nArchived: 2026-04-06 00:17:04 UTC\r\nMobile Threat Catalogue\r\nWebView App Vulnerable to Browser-Based Attacks\r\nContribute\r\nThreat Category: Vulnerable Applications\r\nID: APP-8\r\nThreat Description: A mobile app that implement a WebView, which allows it to render and potentially perform\r\nactions available in a web page, may contain vulnerabilities to common browser-based attacks, such as cross-site\r\nrequest forgery, cross-site scripting, and injection of malicious dynamic content (e.g., JavaScript). Further, exploits\r\ndelivered over web pages may allow remote exploitation of vulnerabilities in other app components, thereby\r\ngaining access to data or functionality outside the context of the vulnerable WebView.\r\nThreat Origin\r\nNot Applicable, See Exploit or CVE Examples\r\nExploit Examples\r\nWebView addJavaScriptInterface Remote Code Execution 1\r\nDRD13. Do not provide addJavaScriptInterface method access in a WebView which could contain untrusted\r\ncontent 2\r\nRemote code execution on Android devices 3\r\nCVE Examples\r\nCVE-2017-0587\r\nCVE-2017-0588\r\nCVE-2017-0589\r\nCVE-2017-0590\r\nCVE-2017-0591\r\nCVE-2017-0592\r\nPossible Countermeasures\r\nEnterprise\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html\r\nPage 1 of 2\n\nUse app-vetting tools or services to identify vulnerable applications\r\nUse a proxy or VPN for connections to decrease the chance of success of a man-in-the-middle attack.\r\nMobile App Developer\r\nAlways use https URLs for WebView content.\r\nAvoid enabling the WebView JavaScript bridge (with addJavascriptInterface) unless explicitly needed.\r\nReferences\r\n1. “WebView addJavaScriptInterface Remote Code Execution”, 24 Sept. 2013;\r\nhttps://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/ [accessed\r\n8/25/2016] ↩\r\n2. F. Long, “DRD13. Do not provide addJavascriptInterface method access in a WebView which could\r\ncontain untrusted content. (API level JELLY_BEAN or below)”, 8 Apr. 2015;\r\nwww.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614 [accessed\r\n8/25/2016] ↩\r\n3. T. Sutcliffe, “Remote code execution on Android devices”, blog, 31 July 2014;\r\nhttps://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/ [accessed 8/25/2016] ↩\r\nSource: https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html"
	],
	"report_names": [
		"APP-8.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439040,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b613721bc43d885414c6f39b2e2f2a8f5d8d1f7c.pdf",
		"text": "https://archive.orkl.eu/b613721bc43d885414c6f39b2e2f2a8f5d8d1f7c.txt",
		"img": "https://archive.orkl.eu/b613721bc43d885414c6f39b2e2f2a8f5d8d1f7c.jpg"
	}
}