Technical blog from Craig Russell.
Are Android WebViews vulnerable to Magellan?
A recently reported vulnerability provides some information on a bug called Magellan which allows an attacker to execute arbitrary SQL, but how does this affect an Android app which uses a WebView? Are WebViews vulnerable?
Mark Murphy (aka commonsware) provides an excellent write up on the situation which details the vulnerability and risk (or lack thereof) for most Android app developers. On WebViews he notes that:
Android’s WebView supports WebSQL, apparently (I have not used it personally). If you allow the user to view arbitrary Web content in a WebView, your app may be at risk. If, however, you are only loading your own content (e.g., help pages packaged as assets), you may be safe.
It would appear that you can enable or disable WebSQL functionality within your app: when configuring a WebView you can also configure its WebSettings.
val webView: WebView = findViewById(R.id.webView)
// disable Web SQL
webView.settings.databaseEnabled = false
From the official docs, and empirically, databaseEnabled should default to false. This means you should not be vulnerable to Magellan unless you’ve chosen to enable that feature explicitly.
You can try this client-side storage demo website to check if your WebView supports WebSQL or not.
Home