最佳做法清单,以确保Android WebView安全 [英] Best practice check list to make Android WebView Secure
问题描述
我正在开发一个主要以本机语言编写并支持Ice Cream Sandwich的应用程序.但是,我需要添加一些WebView.关于WebView安全性的讨论很多,当我使用setJavaScriptEnabled(true)时,它会向我发出警告:使用setJavaScriptEnabled会将XSS漏洞引入您的应用程序中,请仔细检查."
I am working on an application which is largely written in Native and supporting Ice Cream Sandwich. However, I need to add some WebViews. There are lots of discussions on WebView security and when I use setJavaScriptEnabled(true), it gives me a warning:"Using setJavaScriptEnabled can introduce XSS vulnerabilities into you application, review carefully."
只想非常小心地使用WebView和setJavaScriptEnable(true).我遵循了 Android WebView安全提示和
Just want to be very careful using WebView and setJavaScriptEnable(true). I have followed Android WebView Security Tips and suggestions. But there is no best practice check list.
到目前为止我所做的:
- 仅将受信任的内容加载到WebView.从本地html或从我们的后端.
-
通过实现拦截来自WebView的所有请求
- Only load trusted content to WebView. Either from local html or from our back end.
Intercept all requests from WebView by implementing
webView.setWebViewClient(new WebViewClient() {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
// magic
return true;
}
});
还有一些其他不是专门针对WebView的保护,例如加密消息和越狱检查等.
There are also some other protections not specifically for WebView, such as encrypt messages and jail broken check, etc.
还有其他我想念的东西吗?我的应用程序有多安全?
Is there anything else I am missing? How secure is my app?
谢谢