Technical blog from Craig Russell.


Android Magellan Web SQL Vulnerability and WebViews

Are Android WebViews vulnerable to Magellan?

Background Reading

A recently reported vulnerability provides some information on a bug called Magellan which allows an attacker to execute arbitrary SQL, but how does this affect an Android app which uses a WebView? Are WebViews vulnerable?

Mark Murphy (aka commonsware) provides an excellent write up on the situation which details the vulnerability and risk (or lack thereof) for most Android app developers. On WebViews he notes that:

Android’s WebView supports WebSQL, apparently (I have not used it personally). If you allow the user to view arbitrary Web content in a WebView, your app may be at risk. If, however, you are only loading your own content (e.g., help pages packaged as assets), you may be safe.

WebViews and Magellan

It would appear that you can enable or disable WebSQL functionality within your app: when configuring a WebView you can also configure its WebSettings.

val webView: WebView = findViewById(

// disable Web SQL
webView.settings.databaseEnabled = false

From the official docs, and empirically, databaseEnabled should default to false. This means you should not be vulnerable to Magellan unless you’ve chosen to enable that feature explicitly.

Testing if Web SQL is Enabled in your App

You can try this client-side storage demo website to check if your WebView supports WebSQL or not.