We are using Ionic3/Angular framework to building mobile applications. But in one of the applications, our internal security team raised a security threat inside webview.
First issue: "Unnecessary Usage of Javascript in Android Application's Webview".
Comment-1:
The following setting allow WebView to execute JavaScript code:
WebSettings webSettings = myWebView.getSettings();
webSettings.setJavaScriptEnabled(true);
Second issue: Unnecessary Support for Plugins in Android Application's Webview
Comment-2:
During source code review, It is found that support for plugins is enabled. By Default, it is set to false, but the following code snippet found in source code confirms support for plugins is enabled.
webview = new WebView(this);
webview.getSettings().setPluginsEnabled(tue);
or
webview = new WebView(this);
webview.getSettings().setPluginState(PluginState.ON);
we did not get what type of security threat is in the above code. Can any body suggest me the best approach?
