Android_JavaScript_Bridge_Enumerator
Runtime WebView bridge enumeration & UA-surface inspection from a Web browser context.
Android WebView JSI Inspector (Beta) Version 1.0
Runtime WebView bridge enumeration & UA-surface inspection from a Web browser context.
What it does
This tool loads as a normal web page inside a target Android WebView and then:
- compares
windowagainst a clean iframe baseline - identifies anomalous globals that look like injected JavaScript interfaces
- scores likely bridge objects using simple runtime heuristics
- records the effective browser environment visible to the page, including the current User-Agent
- exports findings as JSON for later analysis
What it does not do
This release is intentionally page-context only.
It does not:
- perform native instrumentation
- hook Android APIs directly
- recover the host app identity unless that identity leaks into the observable page environment
Instead it reports the effective runtime surface exposed to the loaded page.
Why this is useful
Static analysis often misses bridge exposure that depends on runtime flow, conditional injection, app build variants, or navigation context.
This tool is designed for cases where you can influence or control the URL loaded into a WebView and want a lightweight way to inspect:
- exposed bridge objects
- suspicious runtime globals
- User-Agent leakage
- environment fingerprints visible from browser JavaScript
Workflow
-
Get a target Android app to load this page in its WebView.
-
Let the page scan the runtime environment.
-
Review:
- likely bridges
- function-like keys
- constructor names
- UA/environment leakage
-
Export the JSON results.
Heuristic Detection Model
The scanner performs passive structural analysis of the JavaScript environment and does not invoke any functions.
1. Baseline comparison
The tool creates a clean <iframe> and collects its window keys, then compares them against the active page:
- baseline = clean iframe
window - observed = current WebView
window - candidates =
observed - baseline
This isolates environment-specific globals, including potential bridge objects.
2. Deep inspection
Each candidate is analyzed without execution:
typeof- constructor name
- function-like keys
- property previews across prototype chain (bounded depth)
3. Bridge-likelihood heuristics
Each candidate is evaluated using four signals:
Method density
Objects exposing multiple callable functions are more likely to be bridges.
- flagged if ≥ 5 function-like keys
Non-standard constructor
Constructors not matching known browser/DOM types are flagged.
Suspicious naming
Regex patterns detect common bridge naming:
android,bridge,webview,native,handler,api, etc.
Unusual type
Values that are not typical object or function types are flagged.
4. Scoring model
Each signal contributes +1:
- method-heavy
- non-standard constructor
- name match
- unusual type
Score interpretation:
- High likelihood: ≥ 3
- Medium: 2
- Low: 1
5. Runtime-first approach
This tool answers:
“What is actually exposed to this page at runtime?”
This is important because bridge exposure may be:
- conditional
- navigation-dependent
- feature-gated
- environment-specific
Safety model
- passive inspection only
- no discovered functions are invoked
- JSON export is user-triggered
Limitations
This is a heuristic system, not a proof of exploitation.
False positives
Some framework or app globals may appear bridge-like.
False negatives
Bridges may evade detection if:
- minimally exposed
- generically named
- injected later in runtime
No native attribution
The tool cannot determine:
- which Android API exposed an object
- which app package owns it
- whether
setUserAgentString()was used
It only observes the effective runtime environment.
Beta notes
This is a beta release intended for research, defensive security testing & WebView analysis workflows.
Known characteristics:
- export includes metadata useful for operator review
- fingerprint hash is deterministic for the current environment snapshot and detected bridge set
Files
index.html- self-contained scanner pageLICENSE- MIT license
License
MIT