Insecure Use of Language/Framework API
Why is this important?
Android, like any other programming language, has powerful or security related APIs. If these APIs are not used properly, it can have a catastrophic impact on your app.
Using secure APIs
Option A: Disable dangerous WebView settings
WebView allows enabling JavasScript which can be abused to gain access to the app's data.
Go through the issues that GuardRails identified in the PR.
Identify the following patterns:
WebView webview = new WebView(this);
webview.getSettings().setJavaScriptEnabled(true);
setContentView(webview);
webview.loadUrl("https://www.example.com/");If it's not needed then disable JavaScript, otherwise ensure that:
- JavaScript and HTML are loaded locally from the app data directory, or trusted servers.
- That any communication to trusted servers is encrypted with TLS.
Test it and ensure the functionality works as expected
Ship it 🚢 and relax 🌴