This blog gives a high level overview of the recommendation from Amazon on the processes to be followed by 3P Partners for integrations with Amazon Webpages in mobile platforms such as Android and ios.
The below section details the reasons related to advisory on avoiding usage of webviews by 3P partners for showing Amazon webpages such as Login with Amazon (LWA) or other Prime specific pages as applicable.
By implementing WebViews, a mobile application may become vulnerable to XSS, JavaScript Injection, Insecure Direct Object References, and Path Traversal attacks. With those known vulnerabilities, the attack surface also expands to include Adversary in The Middle, Cache Control, Deeplinking, Bridging, and Runtime related vectors.
- JavaScript Injection happens when the runtime injects malicious JS into the WebView.
- Path traversal attacks aim to access files and directories outside of the WebViews scope.
- Bridging and Runtime attacks result from JavaScript sending data to the JS Bridge that causes Arbitrary code execution (https://en.wikipedia.org/wiki/Arbitrary_code_execution) or accessing sensitive or restricted data/permissions/classes. JS Bridge functions are exposed to the entire WebView.
As part of the recommendations from RFC related to OAuth (RFC8252 - https://datatracker.ietf.org/doc/html/rfc8252#section-8.12), usage of webviews is not advised due to the following key reasons:
- In typical web-view-based implementations of embedded user-agents, the host application can record every keystroke entered in the login form to capture usernames and passwords, automatically submit forms to bypass user consent, and copy session cookies and use them to perform authenticated actions as the user.
- Even when used by trusted apps belonging to the same party as the authorization server, embedded user-agents violate the principle of least privilege by having access to more powerful credentials than they need, potentially increasing the attack surface.
- Encouraging users to enter credentials in an embedded user-agent without the usual address bar and visible certificate validation features that browsers have makes it impossible for the user to know if they are signing in to the legitimate site; even when they are, it trains them that its ok to enter credentials without validating the site first.
Amazon is going through a planned change to specifically restrict Amazon pages including Prime owned pages through WebViews. This is applicable for all Amazon pages in future with these changes being planned from Q3 2022. This includes restricting customer logins through pages opened in webviews in mobile platform. It is highly advised that external partners integrate with the recommended browser based solutions such as implementing solutions with either mobile browsers or through Custom Chrome tabs in Android/Safari View controller in ios.
Apart from the Security reasons, Customers will also experience reduced friction while using browser based solution as custom chrome tab/safari view controller will not only save the cookies (unlike web view), but they also share the cookies with browsers such as Chrome/Safari. For Workflow pages as in Prime Signup use cases, this will help to avoid re-login if a customer is already logged in on mobile browser. Also, debugging in WebView is difficult and outdated. Browser and Custom tab/safari view controller uses the latest mechanism and are deeply integrated with OS to allow the easy debugging using standard tool (Example: chrome://inspect/#devices will allow debugging in Chrome Custom tab as well).