Webview app code security - android

I have an app which runs mostly in webview and opens an html file from my server and most of the logic happens in its javascript files. If you open the html file on your browser you will have all the code with a simple inspect element. I wanted to ask how can I secure my application and prevent my code from being seen and copied.
Thanks

By default WebView doesn't allow debugging of its contents (unlike Chrome), unless it runs on a debug build of Android. Thus if you don't reveal the URL anywhere, users will simply not know what to open in a browser.
You can also minify/obfuscate your JavaScript code to make it barely readable, even if anyone somehow opens it. This also has a benefit of reducing download size.
A radical approach would be to generate all the results on the server and send them to clients. This way, your clients will not have any code at all on them. But this will greatly complicate any attempts to make the results interactive.

Related

Serving a local static website using Cordova?

We are currently starting work on a project which consists of a website, plus Apps for Android, iOS and (yes) Windows phone.
The apps are identical on all three platforms, and are relatively simple, at least in theory.
They need to provide offline access to the content on the site. This is static content, so is a set of .html pages plus assets (images, css, javascript, etc.).
They need to be able to periodically update the content automatically, when an internet connection is available.
Any external links should open in the user's internet browser rather than within the app.
The app should not display any browser 'chrome' (e.g. address bar, etc.).
It seems like Cordova is a good way to go with this (though I'm open to other suggestions). However, I'm having difficulty finding any information about how to proceed.
For point 1, the way I'd imagine it working is that the app loads some form of web view pointing to file://path/to/site/index.html. Assuming the site uses relative URLs for all internal links and assets this should be sufficient to provide a fully browsable offline version of the site. The app will ship with a static export of the current site.
For point 2, I imagined that the Cordova app would occasionally run a synchornisation process, which would essentially be a number of web requests to the website's API to find out if there is new content. It would then download any new files, placing them in the file structure referred to in point 1, overwriting existing files. (For the purposes of this question, I don't care if that temporarily puts the site in an inconsistent state.)
Point 3 sounds trivial, but I'm not sure if it is. Would target="_blank" be enough? Or a bit of JavaScript to trigger some Cordova action when the link is clicked? We control the way the HTML is generated, so we can insert additional markup for offline use, if necesssary.
Can anyone offer any advice about how to handle an automatically-updating local static site in this manner? Is it even possible?
Cordova mostly does store your html files in an app and the shows the index.html (Or an other page if you define it) in an WebView.
The cool thing here is that Cordova will also provide an API to call Device APIs from JS.
Cordova does not automatically reload you html files and assets into the app. For that you would need to release a new App or you simply reload just the Data in your App and you control all of that in JavaScript.
If you do not need any Device APIs I would recommend you take a look at ServiceWorkers for caching and reloading files.
With some HTML Tags you can also create a really App like behavior after pressing "Add to homescreen".
Best Regards
Marc

Android WebView: offline manifest vs local files

I'm developing a simple Android App where the user must fill in a very complex form, for which I believe it's much easier to use an HTML form than an Android Activity with tons of TextViews.
The data collected by the form must be sent to some remote database, and the application must be able to work offline.
I thought of two alternatives, the question is: which one would be better?
Let a WebView load a remote website with an offline manifest
Let a WebView load a local website in assets folder
My second question is related to the storage when offline, and once again I have two options, and I don't know which one is better:
Using the HTML5 local storage, and let HTML + javascript send data to the server when online again
Let my Android app catch the form data, and handle everything the Android way.
Any input will be very helpful. Thanks in advance.
Regarding the first question: depends on how often will you need to update your form. An online cached form can be updated quickly, while bundled pages are only updateable together with the app, and you will need to consider that both legacy and new clients can connect to your server at the same time (users will procrastinate updating).
Another aspect is portability. Do you envision an iOS version of your app, or perhaps a mobile site? If yes, then an HTML5 solution is definitely more portable. Also, debugging an app which is entirely HTML or entirely native is usually easier than a hybrid one -- you can stay within a single debugger.
Perhaps, one drawback of using HTML local storage inside WebView is that the data you save will be in a kind of a "black box" -- you will not be able to back it up easily.
[Added later] OK -- one drawback of putting your site into assets folder is that you'll have to use file: scheme in order to access it. This can lead to some cross-origin loading access related issues if you will try to mix your bundled content with content from the web. Check these WebView settings for example: setAllowFileAccessFromFileURLs, setAllowUniversalAccessFromFileURLs, setMixedContentMode.

Check for input in webview

I have an app that has a web-view which has a basic web-form that has a few fields and a submit button. I would like to figure out in my app if the form has any input in any of the fields. I cannot change the form from the server side, and I can't be certain much about the fields (ids / names in the html).
In iOS we accomplish this with an interesting process of pulling all the html out when loading the form, and comparing it to the html at any given point, if they don't match, the user must have entered something into a field. I believe we were able to get the html by injecting and running some javascript into the web-view. I'm not sure exactly how to approach the problem on android, or if android has any better tools to get whether a form has been edited.
Anybody have any ideas / pseudo-code how I can tell if a form has had input in any of the fields in a webview in android?
Unfortunately, there are no special form-related tools in Android WebView either. You can use the same approach as you have described for iOS.
A couple of links to get you started:
Read HTML content of webview widgets
Android Web-View : Inject local Javascript file to Remote Webpage

How can I override XMLHttpRequest in my Android WebView subclass so that scripts in head will use my overridden XHR?

I am working on what amounts to a custom android web browser and need to work around a bug in XHR.
I'd like to use a javascript XHR wrapper that fixes the bug (I already have the fix).
How can I force this to be loaded on every page load before anything else is loaded, including scripts in the head?
Note that arbitrary web content which I do not control will be loaded into my webview, so I can't do anything like load my script from the html page. I need to do something like intercept the first script request in head and synchronously inject my script. I'm not sure if this exact approach is possible - just trying to provide an example of the sort of approach that would satisfy my requirements.
I'm open to a completely different approach - I just know how to fix it via a javascript wrapper.
The details of the bug that I need to fix are not important, but just in case anyone is curious, successful XMLHttpRequests for non-android_asset file urls leave status set to 0 and statusText to "". Since some frameworks that use XHR treat status!=200 and/or statusText!="OK" as an error, I need to override the default behavior and return status=200 and statusText="OK" for successful XMLHttpRequests for non-android_asset file urls.
Since someone recently upvoted this and no one else offered any input, I'll share what I ended up doing to address the problem, even though it does not really address my original question.
In my case, I am only loading local (that is, dynamic files that are copied locally prior to being loaded into the webview) html files which I have access to via the filesystem prior to loading them into the webview. Therefore, I have an opportunity to modify the file prior to loading them. Since I could not find a better approach, I simply insert a script tag as first child of head in order to ensure that XHR override happens before anything else.
Feel free to comment if you want more details - I will do my best to answer!

modifying HTML through an android application

This may seam like a simple question, but it has been stumping me for quite a while.
Is there anyway to modify variables in an HTML code, or the HTML code itself, through an android application connected to the internet?
For example if I have a website http://count.com can I make a android application with one button which, when clicked, increments the count on the website (http://count.com).
The HTML code on the website could be a variable which is then incremented, or simple a number which is found an incremented.
I understand how to read HTML code from a website on an android application, but not how to (or if its possible to) write it.
If it is not possible if you could suggest an alternative I would be very grateful.
you can modify the HelloWord.html in your Android or in Desktop ( Android connects to Desktop via teamviewer). Save and FTP to the web hosting and is done.
The problem it is: if you didn't know this, you will not know how to do it even if I told.

Categories

Resources