WKWebView, it can be completely disabled, preventing all script injection flaws.
hasOnlySecureContentproperty can be used to verify resources loaded by the WebView are retrieved through encrypted connections.
WKWebViewimplements out-of-process rendering, so memory corruption bugs won't affect the main app process.
SFSafariViewControllerand this is one of the reasons why the usage of
WKWebViewis recommended when the goal is extending the app's user interface.
SFSafariViewControlleralso shares cookies and other website data with Safari.
SFSafariViewControllerare not visible to the app, which cannot access AutoFill data, browsing history, or website data.
SFSafariViewControllers may not be hidden or obscured by other views or layers.
WKPreferencesand ensure that the
UIWebViews, when using
WKWebViews it is possible to detect mixed content (HTTP content loaded from a HTTPS page). By using the method
hasOnlySecureContentit can be verified whether all resources on the page have been loaded through securely encrypted connections. In the compiled binary:
ObjC.choose()to find instances of the different types of WebViews and also search for the properties
loadData:MIMEType:textEncodingName:baseURL:to load local HTML files and
loadRequest:for web content. Typically, the local files are loaded in combination with methods including, among others:
init(contentsOf:encoding:). In addition, you should also verify if the app is using the method
loadFileURL:allowingReadAccessToURL:. Its first parameter is
URLand contains the URL to be loaded in the WebView, its second parameter
allowingReadAccessToURLmay contain a single file or a directory. If containing a single file, that file will be available to the WebView. However, if it contains a directory, all files on that directory will be made available to the WebView. Therefore, it is worth inspecting this and in case it is a directory, verifying that no sensitive data can be found inside it.
file://scheme is always enabled.
file://URLs is always enabled.
file://URLs is always enabled.
baseURLis also set to
nilyou will see that it is not set to "null", instead you'll obtain something similar to the following:
applewebdata://5361016c-f4a0-4305-816b-65411fc1d780. This origin "applewebdata://" is similar to the "file://" origin as it does not implement Same-Origin Policy and allow access to local files and any web resources.
file://scheme URL to access content from other
file://scheme URL to access content from any origin.
JSContextassociated with a WebView and analyze what functionality it exposes, for example no sensitive data should be accessible and exposed to WebViews. In Objective-C, the
JSContextassociated with a
UIWebViewis obtained as follows:
WKWebViewcan still send messages back to the native app but in contrast to
UIWebView, it is not possible to directly reference the
WKWebView. Instead, communication is implemented using a messaging system and using the
console.log()are not printed to the Xcode logs. It's still relatively easy to debug web content with Safari's developer tools, although there are a couple of limitations: