Highest Voted 'webview' Questions - IT Security Stack Exchange

1

vote

1 answer

Isn't HTTPS enough to prevent MITM in mobile apps? Why is SSL Pinning needed?

I am making a webview that is going to be part of a native iOS and Android app, I implemented the webview using HTTPS as a protocol, and developed my NodeJS app there. But the security team from where I work, came with the following situation: "what…

asked Dec 04 '20 at 20:22

gtbono

693
1
4
6

1

vote

1 answer

Is this url verification with startsWith secure?

I would like to know if this code is secure to validate that a url is from my domain before loading it a webview in android : if (!url.startsWith("https://www.example.com/test/")){ // don't load the url dontload = true; } It looks secure but…

android java url webview

asked Jun 07 '20 at 11:22

Neolex

374
3
15

1

vote

1 answer

What is the impact of controling the content of a webview in Android?

I'm learning android application pen testing and I'm kinda lost about what can do an attacker that control the content of a webview ? I guess if there is no javascript enabled there is no impact, right ? But if there is JavaScript enabled but no…

penetration-test android webview

asked Feb 29 '20 at 11:27

Neolex

374
3
15

1

vote

1 answer

How would someone XSS into a WebView?

There are several articles about XSS vulnerabilities in Android/iOS WebViews. By WebView I mean the 'real' webview not SFSafariViewController or Chrome Custom Tabs. I understand the main concept of XSS. An example of Client XSS could be: redirecting…

xss mobile webview

asked Jun 24 '19 at 07:45

Tafel

111
1
3

1

vote

0 answers

HTTP security headers for native and webview based mobile applications

OWASP Security Headers Project recommends the following security headers for web applications. Out of the following which headers are relevant to mobile applications? HTTP Strict Transport Security (HSTS) Public Key Pinning Extension for HTTP…

web-application http mobile content-security-policy webview

asked Sep 24 '17 at 07:20

Shiv Sahni

921
8
16

0

votes

0 answers

Understanding the Webview (html) code coming from the server

I am using an Android app downloaded from playstore and wanted to know whether the app uses Webview. So, I tried intercepting the network calls with the help of Charles (proxy) and I found out that page is actually a webview from coming from the…

android html webview

asked Oct 27 '20 at 18:22

Nikhil_Coder

1
2

0

votes

1 answer

Why does my Cordova app contain an SQLite file with credit card tables?

We have created a mobile app that includes a view for payment with credit cards. We have used Cordova so we can pusblish our app for Android and iOS. During some tests an SQLite file was found on /data/data/[package]/app_webview/Web Data. This file…

android credit-card webview

asked Feb 10 '18 at 08:14

Elo

3
4

Questions tagged [webview]

Isn't HTTPS enough to prevent MITM in mobile apps? Why is SSL Pinning needed?

Is this url verification with startsWith secure?

What is the impact of controling the content of a webview in Android?

How would someone XSS into a WebView?

HTTP security headers for native and webview based mobile applications

Understanding the Webview (html) code coming from the server

Why does my Cordova app contain an SQLite file with credit card tables?