Android WebView App-Defined Websites

This page analyzes the security of app-defined websites in the Android WebView.

Component Focus

android_webview/browser/aw_app_defined_websites.cc and related files.

The file retrieves domains from the Android manifest, which could be manipulated by a malicious app.
The file caches the domains, which could lead to stale data if the manifest changes.
The file loads includes from asset statements, which could be vulnerable to network attacks.
The file uses JNI calls, which could be vulnerable to JNI-related issues.

The GetAppDefinedDomainsFromManifest function retrieves domains from the Android manifest using JNI calls. This function should be carefully analyzed for potential vulnerabilities.
The GetAssetStatmentsWithIncludes function loads includes from asset statements. This function should be carefully analyzed for potential vulnerabilities, such as network attacks or malicious content.
The AppDefinedWebsites class caches the domains. This cache should be carefully analyzed for potential vulnerabilities, such as stale data or cache poisoning.
The file uses base::ThreadPool to perform tasks in the background. This should be analyzed for potential race conditions or other threading issues.
The file uses base::BarrierCallback to synchronize multiple tasks. This should be analyzed for potential issues with the barrier callback.

How are the domains used by the WebView?
What are the security implications of a malicious app manipulating the Android manifest?
What are the security implications of a malicious server providing malicious asset statements?
How does the WebView handle errors when loading asset statements?
How does the WebView handle changes to the Android manifest?

How do secure contexts interact with app-defined websites?
Are there any vulnerabilities related to secure contexts and app-defined websites?