6

I am a beginner in mobile programming and wanted to know if the web view is bad?. I have heard from apps team in our company that enabling web view is a security risk in itself( we deal with finance data :) ).

I was planning to use it for a simple Captcha however my question is more like

IS a Webview a strict NO NO from a security perspective?.

Please let me know.

Any help is appreciated.

Aravind R
  • 716
  • 1
  • 10
  • 36

1 Answers1

7

That depends on how you use WebView in your app. For example, GMail app uses WebView to view emails in a very safe way. The major risks come if you load arbitrary 3rd-party content into your WebView. Browsers deal with this problem by sandboxing web pages inside separate processes, so even if the page code exploits some security vulnerability of the rendering engine and gains control over it, it still would not be able act on behalf of the browser. WebView is single-process, so any security vulnerability in the renderer engine practically grants the malicious code the same rights as your application has.

So basically, the rule #1 for safe WebView use is to only load trusted content inside it. If you need to display user-provided content, accept plain text only and sanitize it. Avoid enabling JavaScript if possible. Target the most recent API level you can allow for you app -- otherwise WebView may enable insecure features for compatibility with older apps that would not work without them.

Mikhail Naganov
  • 6,643
  • 1
  • 26
  • 26
  • Thanks a lot for the comment. The point that the web frame is a single process is a valid concern. Why i was evaluating this was to display a captcha inside the APP. the Captcha technology all together uses a javascript that loads the content within a div within the webview. Does it make it any better if we load the content from third party in an IFrame within the webview. It wont get a whole page access and also in this case the interactions are minimum. However to laod captcha they load a bunch of javascriipt from there server. – Aravind R Sep 03 '15 at 19:36
  • 1
    @AravindR: loading in an iframe will not help if the page is exploiting some renderer vulnerability via JavaScript. If you don't fully trust your third party, you should not use any code from them. Loading their code into WebView from security standpoint is pretty much the same as taking their Java code into your app without even looking at it :) – Mikhail Naganov Sep 05 '15 at 00:58
  • @MikhailNaganov so if I trust the third party content, I can consider enabling JavaScript secure? the play store showing alert and the doc says: "If your application doesn't directly use JavaScript within a WebView, do not call setJavaScriptEnabled(). Some sample code uses this method, which you might repurpose in production application, so remove that method call if it's not required." what I'm thinking about is what if the js is needed? will play store reject my app update? – bsma Jul 13 '20 at 07:40