Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security risks for using WebView (IOS,Android)

I am a beginner in mobile programming and wanted to know if the web view is bad?. I have heard from apps team in our company that enabling web view is a security risk in itself( we deal with finance data :) ).

I was planning to use it for a simple Captcha however my question is more like

IS a Webview a strict NO NO from a security perspective?.

Please let me know.

Any help is appreciated.

like image 586
Aravind R Avatar asked Sep 02 '15 15:09

Aravind R


1 Answers

That depends on how you use WebView in your app. For example, GMail app uses WebView to view emails in a very safe way. The major risks come if you load arbitrary 3rd-party content into your WebView. Browsers deal with this problem by sandboxing web pages inside separate processes, so even if the page code exploits some security vulnerability of the rendering engine and gains control over it, it still would not be able act on behalf of the browser. WebView is single-process, so any security vulnerability in the renderer engine practically grants the malicious code the same rights as your application has.

So basically, the rule #1 for safe WebView use is to only load trusted content inside it. If you need to display user-provided content, accept plain text only and sanitize it. Avoid enabling JavaScript if possible. Target the most recent API level you can allow for you app -- otherwise WebView may enable insecure features for compatibility with older apps that would not work without them.

like image 197
Mikhail Naganov Avatar answered Sep 30 '22 06:09

Mikhail Naganov