Android WebView is writing session cookies to an sqlite database on witch i need to enable cookie encryption.
Reported by
arfaou...@gmail.com,
May 12 2017
|
||
Issue descriptionSteps to reproduce the problem: 1. A security audit has detected that cookie's value within the sqllite database for the application. /data/data/com.my.app/app_webview/Cookies This is easily viewable via the app aSQLiteManager on a rooted phone. this happen on My Google Nexus 5X with Android 7.. What is the expected behavior? Cookie Encryption on Android WebView CookieManager's persisted Cookies What went wrong? My question is : How to enable Cookies Encryption on Android WebView ? Now I know that, on Chromium based webviews, Cookies Encryption is implemented Based on this Article : http://thehackernews.com/2014/01/Chrome-encrypt-web-cookies-tool.html I Use the android CookieManager to Set Cookies for the WebView.. Like this : public void setCookies(String domain, List<Cookie> cookies){ CookieManager cookieManager = CookieManager.getInstance(); cookieManager.setAcceptCookie(true); for (Cookie cookie : cookies) { String cookieString = cookie.getName() + "=" + cookie.getValue() + "; Domain=" + cookie.getDomain(); cookieManager.setCookie(domain, cookieString); } } Is there a way to activate Cookies Encryption on Android WebView ? There must a way to secure writing cookies to storage by CookieManager .. How to enable Cookies Encryption on Android WebView ? Did this work before? N/A Does this work in other browsers? N/A Chrome version: 51.0.2704.79 Channel: n/a OS Version: 10.0 Flash Version: Shockwave Flash 25.0 r0 Any Help In Appreciated !! Thank you in Advance
,
May 12 2017
On new Android devices which use file-based encryption (available in Android 7.0 and up, but the vendor decides which encryption mechanism to use), all data stored by applications is already encrypted using per-user encryption keys. This includes your Nexus 5X. The database can only be read once the user's unlock code has been entered, even with root. Also, rooted devices are outside of Android's security model; secure devices are not expected to permit any application (or the user) to have root access at all. On earlier versions of Android which use full-disk encryption, the entire storage (for all users) is unlocked at boot, not just the specific user who unlocked the device, and that's about the best it can do. The app sandbox still prevents users from accessing each others' data, however. Older devices that don't use encryption at all are just out of luck. Android does not have a platform-specific app-accessible encryption method like the one used internally by Chrome on other OSes, so that's not applicable here.
,
May 15 2017
Hello, Thank you for your quick response My question is : is there any way to invoke cookies' encryption routine implemented on chromium based webview- from my android application ? what should i tell clients that have their session http-only cookies plain text in Cookie data bases on their Nexus 5X android 7.0 phones ? Any Help In Appreciated !! Thank you in Advance
,
May 15 2017
This is basically reiterating what Torne wrote. No. There is no way to invoke the chromium cookie encryption code on Android, but even ifyou could enable this feature it would not provide any additional security. If you read https://bugs.chromium.org/p/chromium/issues/detail?id=313323#c15 you'll see that the decision has been made not to enable this feature on Android, in favour of the OS level protection. Full disk encryption has been mandated since M, and file based encryption since N. This protects data when the user has not authenticated to the device. FBE also encrypts data with different keys per user. Application data directories are also not accessible by other running applications. In the case of a privilege escalation on the device it would not matter if the cookie jar was encrypted, because the malicious code can control your application to exfiltrate cookie jar contents, using that encryption key to obtain plain text data if necessary.
,
May 15 2017
ok thx had to be sure !! |
||
►
Sign in to add a comment |
||
Comment 1 by ppolise...@chromium.org
, May 12 2017