Best practice check list to make Android WebView Secure

Question

I am working on an application which is largely written in Native and supporting Ice Cream Sandwich. However, I need to add some WebViews. There are lots of discussions on WebView security and when I use setJavaScriptEnabled(true), it gives me a warning:"Using setJavaScriptEnabled can introduce XSS vulnerabilities into you application, review carefully."

Just want to be very careful using WebView and setJavaScriptEnable(true). I have followed Android WebView Security Tips and suggestions. But there is no best practice check list.

What I have done so far:

1. Only load trusted content to WebView. Either from local html or from our back end.

2. Intercept all requests from WebView by implementing

   webView.setWebViewClient(new WebViewClient() {
       @Override
       public boolean shouldOverrideUrlLoading(WebView view, String url) {
           // magic
           return true;
       }
   });
   

3. Make sure all back end requests are using https and only sent to our back end.
4. Detect SSL warning.
5. Checksum check local html/JavaScript files.
6. Minify JavaScript files
7. Update Security Provider to Protect Against SSL Exploits

There are also some other protections not specifically for WebView, such as encrypt messages and jail broken check, etc.

Is there anything else I am missing? How secure is my app?

Thanks

Answer 1

As per doc,

To enable Safe Browsing for all WebViews in your app, add in a manifest tag:

<manifest>
     <meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
                android:value="true" />
      . . .
     <application> . . . </application> </manifest> 

Because WebView is distributed as a separate APK, Safe Browsing for WebView is available today for devices running Android 5.0 and above. With just one added line in your manifest, you can update your app and improve security for most of your users immediately.