Android Magellan Web SQL Vulnerability and WebViews
Are Android WebViews vulnerable to Magellan?
Background Reading
A recently reported vulnerability provides some information on a bug called Magellan
which allows an attacker to execute arbitrary SQL, but how does this affect an Android app which uses aWebView?
Are WebViews
vulnerable?
Mark Murphy (aka commonsware) provides an excellent write up on the situation which details the vulnerability and risk (or lack thereof) for most Android app developers. On WebViews
he notes that
Android’s
WebView
supports WebSQL, apparently (I have not used it personally). If you allow the user to view arbitrary Web content in aWebView
, your app may be at risk. If, however, you are only loading your own content (e.g., help pages packaged as assets), you may be safe.
WebViews and Magellan
It would appear that you can enable or disable WebSQL
functionality within your app.
When configuring a WebView
you can also configure its WebSettings
.
From the official docs, and empirically, databaseEnabled
should default to false
. This means you should be not be vulnerable to Magellan unless you’ve chosen to enable that feature explicitly.
Testing if Web SQL is Enabled in your App
You can try this client-side storage demo website to check if your WebView
supports WebSQL
or not.