CodeQL documentation

Access Java object methods through JavaScript exposure

ID: java/android/webview-addjavascriptinterface
Kind: problem
Security severity: 6.1
Severity: warning
Precision: medium
   - security
   - external/cwe/cwe-079
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Calling the addJavascriptInterface method of the android.webkit.WebView class allows the web pages of a WebView to access a Java object’s methods via JavaScript.

Objects exposed to JavaScript are available in all frames of the WebView.


If you need to expose Java objects to JavaScript, guarantee that no untrusted third-party content is loaded into the WebView.


In the following (bad) example, a Java object is exposed to JavaScript.

import android.webkit.JavascriptInterface;
import android.database.sqlite.SQLiteOpenHelper;

class ExposedObject extends SQLiteOpenHelper {
    public String studentEmail(String studentName) {
        // SQL injection
        String query = "SELECT email FROM students WHERE studentname = '" + studentName + "'";

        Cursor cursor = db.rawQuery(query, null);
        String email = cursor.getString(0);

        return email;

webview.addJavaScriptInterface(new ExposedObject(), "exposedObject");
webview.loadData("", "text/html", null);

String name = "Robert'; DROP TABLE students; --";
webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");


  • © GitHub, Inc.
  • Terms
  • Privacy