Securing Webviews and The Story Behind CVE-2021-21136

Explore the intricacies of securing Webviews and uncover the story behind CVE-2021-21136 in this comprehensive conference talk from the Hack In The Box Security Conference. Delve into common Webview-related security issues, including insecure Deeplink implementation, insufficient URL validation, and lack of Webview isolation. Learn prevention techniques to enhance mobile application security and robustness. Discover the journey behind identifying and reporting the Chromium CVE:2021-21136, which exposed sensitive data leakage in Android Webviews. Gain insights from security experts Imdadullah Mohammed and Shiv Sahni as they share their extensive experience in application security, penetration testing, and secure code reviews. Examine detailed code snippets, demonstrations, and real-world examples to understand the complexities of Webview security and its impact on mobile application development.

Introduction
Chef Sajan
India Mohammed
Agenda
What is a CV
Webviews
Load URL API
Deep Links
Conclusion
Mobile Application Workflow
Bug Explanation
Initial Observations
Timeline
Demo
Role of Plan
Common Webview Issues
Use Case
Code snippet
Insufficient URL validation
Issue with GetHost
Impact
Unintended Data Leakage
Sharing Sensitive Data
Lack of Isolation
LearningsRecommendations
Secure URL Validation
Webview Implementation
Android Webview Implementation
iOS Webview Implementation
iOS Webview Settings
Learnings
References
Live Slide