Skip to main content

Insecure Use of Language/Framework API

Why is this important?

Android, like any other programming language, has powerful or security related APIs. If these APIs are not used properly, it can have a catastrophic impact on your app.

Using secure APIs

Option A: Disable dangerous WebView settings

WebView allows enabling JavasScript which can be abused to gain access to the app's data.

  1. Go through the issues that GuardRails identified in the PR.

  2. Identify the following patterns:

    WebView webview = new WebView(this);
    webview.getSettings().setJavaScriptEnabled(true);
    setContentView(webview);
    webview.loadUrl("https://www.example.com/");
  3. If it's not needed then disable JavaScript, otherwise ensure that:

    • JavaScript and HTML are loaded locally from the app data directory, or trusted servers.
    • That any communication to trusted servers is encrypted with TLS.
  4. Test it and ensure the functionality works as expected

  5. Ship it 🚢 and relax 🌴