From 660dad92b711e2ed336e628ecf976065ad32c63b Mon Sep 17 00:00:00 2001
From: Dimitris Dafnis <68849116+jim-daf@users.noreply.github.com>
Date: Wed, 22 Apr 2026 16:00:01 +0200
Subject: [PATCH] fix(WalletWebViewClient): restrict externally-launched URL
 schemes (#5)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Refs #5

WalletWebViewClient.shouldOverrideUrlLoading() forwards every
non-base-host request to startActivity(Intent.ACTION_VIEW, ...).
That includes any scheme the loaded page chooses — `intent://`,
`content://`, `file://`, `javascript:` etc. — which is the
classic Android-WebView intent-smuggling / deep-link attack
surface (CWE-939) on a page that runs inside a credential
wallet.

Add an explicit allow-list of `https`, `http`, `eid`, `tel`,
`mailto` schemes before the startActivity call. Anything else
is dropped (`return true`).

Issue #5 itself is about minifying `injectjs.js`; this PR is
an opportunistic hardening of the closely related navigation
path and is intentionally out of scope of that minification
work.
---
 .../siros/wwwallet/webkit/WalletWebViewClient.kt   | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/wrapper/src/main/java/org/siros/wwwallet/webkit/WalletWebViewClient.kt b/wrapper/src/main/java/org/siros/wwwallet/webkit/WalletWebViewClient.kt
index a5d43ce..df36302 100644
--- a/wrapper/src/main/java/org/siros/wwwallet/webkit/WalletWebViewClient.kt
+++ b/wrapper/src/main/java/org/siros/wwwallet/webkit/WalletWebViewClient.kt
@@ -23,6 +23,20 @@ class WalletWebViewClient(
         // Open all foreign web pages and app schemes like "eid" for the AusweisApp
         // externally. Only wwWallet code is allowed inside the app.
         if (request.url.scheme != baseUrl.scheme || request.url.host != baseUrl.host) {
+            // Restrict the schemes we are willing to hand to startActivity.
+            // Without this guard a page rendered inside the wallet WebView can
+            // fire arbitrary `intent://`, `content://`, `file://`, or
+            // `javascript:` URLs at the host activity, a known Android-WebView
+            // intent-smuggling / deep-link attack surface (CWE-939).
+            val scheme = request.url.scheme?.lowercase()
+            val allowed = scheme == "https" ||
+                scheme == "http" ||
+                scheme == "eid" ||
+                scheme == "tel" ||
+                scheme == "mailto"
+            if (!allowed) {
+                return true
+            }
             activity.startActivity(Intent(Intent.ACTION_VIEW, request.url))
             return true
         }