Authorization / Recorded Calls to Dangerous Webview Settings API

Description

Recorded calls to dangerous WebView settings API is a vulnerability in Android and Mobile App that allows attackers to record audio on the device without authorization. This vulnerability is categorized as an Authorization vulnerability and is identified by the Common Weakness Enumeration (CWE) as CWE-284. According to the OWASP Testing Guide, the vulnerability can be tested for by checking for the presence of any permission requests for audio recording.

Risk

The risk associated with this vulnerability is high, as it could allow an attacker to gain access to sensitive information or to modify data. If exploited, this vulnerability could lead to data exfiltration or data manipulation.

Solution

The best way to fix this vulnerability is to ensure that all audio recordings are authorized by the user before they are allowed to access the device. Additionally, all applications should be tested for this vulnerability by scanning for any permission requests for audio recording.

Example

public void recordAudio() {
    if (checkPermission()) {
        try {
            mediaRecorder.setAudioSource(MediaRecorder.AudioSource.MIC);
            mediaRecorder.prepare();
            mediaRecorder.start();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

public boolean checkPermission() {
    int result = ContextCompat.checkSelfPermission(this, Manifest.permission.RECORD_AUDIO);
    if (result == PackageManager.PERMISSION_GRANTED) {
        return true;
    } else {
        return false;
    }
}

In the above code example, the function checkPermission() is used to check whether or not the user has granted permission to record audio before executing the code which starts the recording.