1

I have a local HTML file using Javascript code. I'm using webview for loading the HTML file for my android app. I just display text content in my application. There are no navigations or user logins on my screen.

I 'm using setJavaScriptEnabled(true) and setWebViewClient in my Java code to load. I get a warning about XSS vulnerabilities for using setJavaScriptEnabled(true).

I'm not calling other .js or .css files either.

I'm not invoking any other websites in my application. Is my Android app secure enough from piracy or should I add additional code or steps to protect my application code from hackers? Please suggest.

Sud
  • 11
  • 4

2 Answers2

0

Too late to post an answer. Hope this might be useful for people in future.

Android webview is highly vulnerable to cross site scripting since it doesnt have any preventive mechanisms that are used by modern browsers like Chrome or Firefox. Webview is also vulnerable to Insecure Direct Object References and SQL Injection.

The XSS vulnerability potential can be used to gain access to shared preference files using the file:/// command or can utilize smsJSInterface.launchSMSActivity to send unwanted SMS messages from the phone.

Either you have to disable javascript for webview Or, if you can't do this, be sure that each context is escaped properly by using an XSS filter component such as the OWASP Java Encoder Project.

Anonymous Platypus
  • 1,242
  • 4
  • 18
  • 47
0

Refer to this best answer

The question I linked you above has a lot of methods implemented by the guy that made the question. Excellent work of his, if you ask me. Still he is concerned about how secure is his app. Well, if you are developing for an old devices (4.0 and below) maybe using the techniques that he is using is the best option. Otherwise, just do what the best answer is suggesting and add this to your manifest:

<manifest>
 <meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
            android:value="true" />
  . . .
 <application> . . . </application> </manifest>

This will enable Safe Browsing for all WebViews in your app.

Good luck, hope it helped :)

badjuice
  • 65
  • 1
  • 6