Menu
I am a beginner in mobile programming and wanted to know if the web view is bad?. I have heard from apps team in our company that enabling web view is a security risk in itself( we deal with finance data :) ).
I was planning to use it for a simple Captcha however my question is more like
IS a Webview a strict NO NO from a security perspective?.
Please let me know.
Any help is appreciated.
586
That depends on how you use WebView in your app. For example, GMail app uses WebView to view emails in a very safe way. The major risks come if you load arbitrary 3rd-party content into your WebView. Browsers deal with this problem by sandboxing web pages inside separate processes, so even if the page code exploits some security vulnerability of the rendering engine and gains control over it, it still would not be able act on behalf of the browser. WebView is single-process, so any security vulnerability in the renderer engine practically grants the malicious code the same rights as your application has.
So basically, the rule #1 for safe WebView use is to only load trusted content inside it. If you need to display user-provided content, accept plain text only and sanitize it. Avoid enabling JavaScript if possible. Target the most recent API level you can allow for you app -- otherwise WebView may enable insecure features for compatibility with older apps that would not work without them.
197
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
