Skip main navigation
We use cookies to give you a better experience, if that’s ok you can close this message and carry on browsing. For more info read our cookies policy.
We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Input validation

In Week 2 we discussed input validation. This is equally important when receiving data over a network connection.

Obviously this is a huge topic, as an app may interact with a remote server in a potentially unbounded number of ways. We cannot possibly cover all of them, but we can highlight a couple of issues that you should consider.

If your app uses a WebView then you need to carefully consider how you handle JavaScript, or indeed whether your app should accept JavaScript from over the internet at all.

By default WebView disables JavaScript, and you should only call setJavaScriptEnabled() if you really need to. Enabling JavaScript could make your app vulnerable to JavaScript injection, often known as a cross-site-scripting attack.

The WebView method addJavascriptInterface() is especially dangerous on versions of Android earlier than Android 4.2, as the JavaScript could use reflection to directly access and control an app’s Java code!.

Share this article:

This article is from the free online course:

Secure Android App Development

University of Southampton

Contact FutureLearn for Support