WebView Security Best Practices |
||
 |
 |
|
| © 2024 by IJCTT Journal | ||
| Volume-72 Issue-12 |
||
| Year of Publication : 2024 | ||
| Authors : Sheshananda Reddy Kandula | ||
| DOI : 10.14445/22312803/IJCTT-V72I12P121 | ||
How to Cite?
Sheshananda Reddy Kandula, "WebView Security Best Practices," International Journal of Computer Trends and Technology, vol. 72, no. 12, pp. 171-178, 2024. Crossref, https://doi.org/10.14445/22312803/IJCTT-V72I12P121
Abstract
WebViews play a great role in mobile and desktop applications by embedding web content within native applications. Native applications, typically written in platform-specific languages and frameworks, often share a common backend with multiple web-based clients, like Android, iOS, Windows, and macOS. To streamline development processes and enhance cross-platform compatibility, developers leverage WebViews as a unifying component. While WebViews offer substantial advantages in terms of development speed, flexibility, and code reuse, they inherently introduce security vulnerabilities if not implemented securely. Significant research has been performed on vulnerabilities in WebViews in different platforms [1], [2], [3], [4], but there is a lack of a consolidated repository of best practices for securely implementing WebViews. This review aims to address the gap and systematically investigates prevalent WebView security vulnerabilities, assess their potential impact on application security and user privacy, and provide best practices. By bridging the gap in existing literature, this work provides developers with actionable guidelines to build more resilient and secure WebViews usage in mobile and desktop environments.
Keywords
Android apps, Electron apps, iOS apps, Security, WebView.
Reference
[1] Zihao Jin et al., “A Security Study about Electron Applications and a Programming Methodology to Tame DOM Functionalities,” Network and Distributed System Security Symposium, San Diego, CA, USA, pp. 1-16, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[2] Chi-Yu Li et al., “Privacy Leakage and Protection of Input Connection Interface in Android,” IEEE Transactions on Network and Service Management, vol. 18, no. 3, pp. 3309-3323, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[3] Shivi Garg, and Niyati Baliyan, “Comparative Analysis of Android and iOS from Security Viewpoint,” Computer Science Review, vol. 40, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[4] Basil Schöni, “Automatically Retrofitting Cordova Applications for Stricter Content Security Policies,” Bachelor Thesis, University of Bern, pp. 1-84, 2020.
[Google Scholar] [Publisher Link]
[5] KirstenS, Cross Site Scripting (XSS), OWASP Foundation, 2025. [Online]. Available: https://owasp.org/www-community/attacks/xss/
[6] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.16), Common Weakness Enumeration. [Online]. Available: https://cwe.mitre.org/data/definitions/79.html
[7] CWE-749: Exposed Dangerous Method or Function (4.16), Common Weakness Enumeration. [Online]. Available: https://cwe.mitre.org/data/definitions/749.html [8] CWE-300: Channel Accessible by Non-Endpoint (4.16), Common Weakness Enumeration. [Online]. Available: https://cwe.mitre.org/data/definitions/300.html
[9] Build Web Apps in WebView, Android Developers. [Online]. Available: https://developer.android.com/develop/ui/views/layout/webapps/webview
[10] WKWebView, Apple Developer Documentation. [Online]. Available: https://developer.apple.com/documentation/webkit/wkwebview
[11] kirupa Chinnathambi, Understanding WebViews, Kirupa, 2025. [Online]. Available: https://www.kirupa.com/apps/webview.htm
[12] Populating the Page: How Browsers Work - Web Performance, MDN Web Docs. [Online]. Available: https://developer.mozilla.org/en US/docs/Web/Performance/How_browsers_work
[13] Andrew R. Regenscheid, and Geoff Beier, “Security Best Practices for the Electronic Transmission of Election Materials for UOCAVA Voters,” National Institute of Standards and Technology, Internal Report, pp. 1-73, 2011.
[CrossRef] [Google Scholar] [Publisher Link]
[14] Paul A. Grassi, Michael E. Garcia, and James L. Fenton, “Draft NIST Special Publication 800-63-3 Digital Identity Guidelines,” National Institute of Standards and Technology, pp. 1-34, 2017.
[Google Scholar] [Publisher Link]
[15] Feng Xiao et al., “Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-Platform Ecosystem,” Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Los Angeles CA USA, pp. 2975-2988, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[16] Mir Masood Ali et al., “Rise of Inspectron: Automated Black-box Auditing of Cross-Platform Electron Apps,” 33rd USENIX Security Symposium (USENIX Security 24), pp. 1-18, 2024.
[Google Scholar] [Publisher Link]
[17] Weilin Zhong, and Rezos, Code Injection, OWASP. [Online]. Available: https://owasp.org/www-community/attacks/Code_Injection
[18] Yuta Imamura et al., “Web Access Monitoring Mechanism via Android Web View for Threat Analysis,” International Journal of Information Security, vol. 20, no. 6, pp. 833-847, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[19] Andrei-Claudiu Veres, and Andrei Dumitriu, “The Privacy and Security Risks of Mobile In-App Browsers,” SC@RUG 2023 proceedings, pp. 19-23, 2023.
[Google Scholar]
[20] Mohamed A. El-Zawawy, Eleonora Losiouk, and Mauro Conti, “Vulnerabilities in Android Webview Objects: Still Not the End!” Computers and Security, vol. 109, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[21] Ksenia Peguero, and Xiuzhen Cheng, “Electrolint and Security of Electron Applications,” High-Confidence Computing, vol. 1, no. 2, pp. 1-14, 2021.
[CrossRef] [Google Scholar] [Publisher Link]
[22] Com.Basecamp.bc3 Webview Javascript Injection and JS Bridge Takeover, Hackerone, 2021. [Online]. Available: https://hackerone.com/reports/1343300
[23] Zomato for Business Android, Vulnerability in Exported Activity WebView, Hackerone, 2019. [Online]. Available: https://hackerone.com/reports/537670
[24] Vulnerability in TikTok Android App Could Lead to One-Click Account Hijacking, Microsoft, 2022. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2022/08/31/vulnerability-in-tiktok-android-app-could-lead-to-one-click-account hijacking/
[25] Security Checklist, Android Developers. [Online]. Available: https://developer.android.com/privacy-and-security/security-tips
[26] iOS Platform APIs, OWASP Mobile Application Security. [Online]. Available: https://mas.owasp.org/MASTG/0x06h-Testing Platform-Interaction/