// security probe v1.0
WebView
Attack Surface
Test
load this page in your webview to detect vulnerabilities
—
VULNERABLE
—
EXPOSED
—
SAFE
—
PENDING
▶ RUN ALL TESTS
⚡
JavaScript Bridge
HIGH
▾
Android JavascriptInterface
Checks for window.Android / common bridge names exposed to JS
not tested
PENDING
iOS WKScriptMessageHandler
Checks for window.webkit.messageHandlers exposure
not tested
PENDING
Bridge Method Enumeration
Attempts to enumerate callable methods on found bridges
not tested
PENDING
📂
File System Access
HIGH
▾
file:// Protocol Fetch
Attempts to fetch a local path via file:// URI
not tested
PENDING
XHR to file:// URI
XHR request targeting local Android shared_prefs path
not tested
PENDING
content:// Provider Access (Android)
Attempts access to Android content providers via URI scheme
not tested
PENDING
🗄
Storage & Secrets
HIGH
▾
localStorage Read
Reads all keys from localStorage — may contain tokens or session data
not tested
PENDING
sessionStorage Read
Reads all keys from sessionStorage
not tested
PENDING
Cookie Read
Reads document.cookie — auth tokens, session IDs may be present
not tested
PENDING
IndexedDB Access
Checks if IndexedDB is accessible and can list databases
not tested
PENDING
📡
Data Exfiltration
HIGH
▾
Outbound fetch() to External Host
Tests if page can POST data to an arbitrary external server
not tested
PENDING
Image-tag Exfil Beacon
Creates an <img> tag to beacon data via URL params (bypasses some CORS blocks)
not tested
PENDING
Clipboard Read
Attempts to read clipboard (passwords, 2FA codes)
not tested
PENDING
🎯
Intent / Deeplink Hijacking
MEDIUM
▾
intent:// URL Scheme (Android)
Injects an intent:// link to test if the WebView forwards it to the OS
not tested
PENDING
Custom App Scheme Navigation
Attempts to navigate to a hypothetical app:// deeplink
not tested
PENDING
🔍
Environment Fingerprint
MEDIUM
▾
User-Agent Leak
Reads navigator.userAgent — reveals app name, version, OS
not tested
PENDING
Geolocation API
Tests if Geolocation API is accessible without an explicit prompt
not tested
PENDING
Device Memory / Hardware Concurrency
navigator.deviceMemory and hardwareConcurrency fingerprinting
not tested
PENDING
Protocol in Use
Detects if page was loaded over HTTP (no TLS) vs HTTPS
not tested
PENDING
🛡
CSP / Mixed Content
LOW
▾
CSP Meta Tag Presence
Detects if a Content-Security-Policy meta tag was injected by the app
not tested
PENDING
Mixed Content Script Load
Attempts to inject an HTTP script tag while on HTTPS
not tested
PENDING
eval() Available
Tests if eval() is blocked — important if user content ever reaches JS
not tested
PENDING
📋
Event Log
▾
// awaiting test run...