What You Ought To Know About Android WebViews

androidsecuritylogo.pngDo you use WebViews in your Android app? If you say ‘no’, are you sure? What about 3rd party libraries/SDKs that you have included? Many such as ad libraries, Facebook and LinkedIn use WebViews.

In researching references for AndroidSecurity.guru I realised the use of WebViews is probably the area most overlooked when it comes to security. They are usually used to simplify development in that changes can be made at the server without an app re-install. They are also used by the majority of app creation tools because HTML and Javascript are very easy to dynamically create and run (in WebViews).

The problem is that WebViews come with lots of security holes. There’s generally two areas of concern. The first is classic cross site scripting where, for whatever reason (e.g. WiFi man in the middle attack or server side breach), the app ends up using rogue HTML/Javascript. The second problem area is the bridge from Javascript to app Java code which allows all your app programming interfaces to become visible.

I have some suggestions for tightening up WebView security. However, some of the suggestions might limit the functionality required of your WebViews. Also, it’s difficult to apply these suggestions to 3rd party SDKs, especially when you don’t have the source code.

For apps, for example banking and payment apps, that deal with sensitive data and really have to be secure, I’d think deeply if you really need to be using WebViews or 3rd party SDKs incorporating WebViews.