Android Magellan Web SQL Vulnerability and WebViews
Are Android WebViews vulnerable to Magellan?
A recently reported vulnerability provides some information on a bug called
Magellan which allows an attacker to execute arbitrary SQL, but how does this affect an Android app which uses a
Mark Murphy (aka commonsware) provides an excellent write up on the situation which details the vulnerability and risk (or lack thereof) for most Android app developers. On
WebViews he notes that
WebViewsupports WebSQL, apparently (I have not used it personally). If you allow the user to view arbitrary Web content in a
WebView, your app may be at risk. If, however, you are only loading your own content (e.g., help pages packaged as assets), you may be safe.
WebViews and Magellan
It would appear that you can enable or disable
WebSQL functionality within your app.
When configuring a
WebView you can also configure its
From the official docs, and empirically,
databaseEnabled should default to
false. This means you should be not be vulnerable to Magellan unless you’ve chosen to enable that feature explicitly.
Testing if Web SQL is Enabled in your App
You can try this client-side storage demo website to check if your
WebSQL or not.