Want to keep learning?

This content is taken from the University of Southampton's online course, Secure Android App Development. Join the course to learn more.

Input validation

In Week 2 we discussed input validation. This is equally important when receiving data over a network connection.

Obviously this is a huge topic, as an app may interact with a remote server in a potentially unbounded number of ways. We cannot possibly cover all of them, but we can highlight a couple of issues that you should consider.

If your app uses a WebView then you need to carefully consider how you handle JavaScript, or indeed whether your app should accept JavaScript from over the internet at all.

By default WebView disables JavaScript, and you should only call setJavaScriptEnabled() if you really need to. Enabling JavaScript could make your app vulnerable to JavaScript injection, often known as a cross-site-scripting attack.

The WebView method addJavascriptInterface() is especially dangerous on versions of Android earlier than Android 4.2, as the JavaScript could use reflection to directly access and control an app’s Java code!.

Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton