Hybrid App development has become a common method used in commercial applications. Its biggest advantage is the ability to use H5 to develop dynamically updated content pages, which are then loaded using the WebView component provided by the mobile native system. This approach not only saves development costs for Android and iOS clients but also allows for dynamic updates of page content without requiring application version iterations. However, WebView has a major drawback: inevitable security issues.
For example, the WI-FI you connect to may be maliciously intercepted by some network operators’ DNS systems, causing you to see inexplicable advertisements at the bottom of the page or elsewhere when you open the app’s WebView. Worse yet, it may redirect to other web pages and manipulate the application or device at will, posing significant security risks.
Google has been working to address this issue. Recently, there has been some progress. According to the official Android Developers blog, starting from Android O, WebView will use a renderer process that is independent of the hosted application, providing an isolated space.
This approach is similar to the Chrome browser, giving WebView two levels of isolation:
-
The WebView rendering engine is separated into an independent process. This means that there will be no crashes in our main application due to WebView loading errors, and malicious third-party websites will find it difficult to attack the hosted application through the renderer.
-
The renderer process running in the isolated process sandbox is restricted from using device resources. For instance, the renderer cannot write data to the disk or perform network communications. This isolation can further defend against malicious attacks.
The latest version of WebView in safe browsing mode also integrates Google’s Safe Browsing mechanism to protect and alert users about potentially risky websites. Once safe browsing is enabled, WebView will check the accessed URLs against the Safe Browsing malware and phishing website database, providing danger warnings before the user opens them, such as:
At this point, you may be wondering how to enable safe browsing in WebView? It’s simple; in our application’s Manifest file, just configure the following code, and all WebViews used in the current app will support safe browsing:
<manifest>
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
...
<application> ... </application>
</manifest>
Since WebView is distributed as an independent APK, devices running Android 5.0 and above already support WebView safe browsing. You just need to add the above configuration code in the manifest file to make your hybrid application safer.
Article Note: Some content in this article is translated from the official Android Developers blog, reference link (requires VPN): What’s new in WebView security.
Related Extension Content:
-
For information about the interaction between WebView and Java code, refer to my previous summary article – Android WebView – Summary of Java and JavaScript Interaction
-
For more details on using WebView, visit the link – Managing WebViews
