Balázs is a software engineer skilled in software architectural design, mobile security, effective product development and agile methodologies. His passion is creating intuitive, experience-focused user interfaces. He is always hungry for more knowledge and happy to share what he learns with others. He likes mentoring and being an enabler in a team. He is a co-organizer of the Android Budapest meetup group. Outside of work he enjoys cycling, photography, cars and coffee.
Balázs Gerlei
Overcoming Unsecurities in WebViews
Is your relationship with WebViews healthy? Sometimes you can't avoid the need to display web content in your app. It can be a functionality that you need to release quickly and it's already implemented by web devs in your team. It can be just a Terms and Conditions page you need to show. Often the reason for putting these into WebViews is that the latest version must be displayed without requiring an app update.
So web content tends to make its way into many apps. It's not obvious that by adding a single WebView, you can open up your app for abuse by malicious actors. Google made steady progress in making WebViews more secure by default but often you can't stop supporting those old, vulnerable OS versions. Ultimately it's your responsibility to secure your WebViews and the default settings are not always right. This talk aims to help with that while also highlighting security issues that lurk in those seemingly simple yet quite complex APIs.
You would learn the importance of always sanitizing inputs and restricting capabilities to what is actually needed. If you want to take one piece of advice from the talk, you should use more modern APIs like Custom Tabs, JavaScript Engine, or AndroidX's WebView variant.