Security Flaw with UIWebView

UIWebView is something Apple already deprecated, and it is the API most developers complain about its performance — without native code, app can’t necessarily take full advantage of a device’s power.

However, this article shares a security flaw of UIWebView, with a simple demo to show how we use UIWebView to grab user’s info such as id, name, encrypted password, etc.

Step 1 — Let us create a html file(hack.html) with following source code:

This html file tries to open and read the passwd file under /etc directory. Allow me to share some background knowledge in case you are not familiar with iOS File System:

1. /etc contains host-specific configuration files. It is the directory inherited from traditional UNIX installation.
2. passwd is a colon-separated file that contains the following information:

• User name
• Encrypted password
• User ID number (UID)
• User’s group ID number (GID)
• Full name of the user (GECOS)
• User home directory
• Login shell

If you are interested in details about file system, Apple offers guide here.

Step 2 — Create a Single View App in Xcode, then drag and drop the hack.html we just created to the project.

Then open ViewController.swift, delegate a UIWebView to the view. Here is the sample code:

Step 3 — Build and run the app, below is the screenshot of how the UIWebView will show:

Now hackers are aware of private info without user’s authorization. This looks really creepy!

So why UIWebView has this security issue? How to fix it? Does WKWiebView has the similar problem?

UIWebView has this issue due to two properties — WebKitAllowUniversalAccessFromFileURLs and WebKitAllowFileAccessFromFileURLs are by default turned on. This allows UIWebView to access file with its url. We can turn it off manually to remove the danger.

On the other hand, we do not need to worry about WKWiebView, as those mentioned properties are by default turned off.

Finally, here are tips to avoid security flaws in your app:

• Keep an eye on any html files adopted by app to load something
• Pay attention to the html file if it touches files on device
• Do not use UIWebView
• Please do not turn on WebKitAllowUniversalAccessFromFileURLs or WebKitAllowFileAccessFromFileURLs while using WKWebView.