My presentation from the Android Budapest September 2025 meetup about JavaScript-related security issues in WebViews. It is a continuation, the second part of my Overcoming Unsecurities in WebViews talk: https://speakerdeck.com/balazsgerlei/droidcon-london-2024
Intro
In my previous talk with a similar title from last year, I briefly discussed running JavaScript in Android WebViews, stating that it could be a talk of its own. Since then, multiple people have asked about this topic, so I decided to make it to further help overcome the insecurity one may feel when working with unsecured WebViews. It’s an often-cited suggestion that you should disable JavaScript to secure your WebViews, but what if you explicitly want to execute JavaScript?
The easiest way to run JavaScript on Android is to create a “headless” WebView (that is not visible). There are many traps to be aware of, including:
- Allowing remote code execution via Cross-Site Scripting (XSS)
- Unintended access to Android components
- Unintended access to files via WebResourceResponse or URI
- Leaking data through the JavaScript Bridge
I’ll describe and demonstrate such attacks and show you ways to mitigate and secure your app. You will learn the importance of fully controlling the JavaScript you execute, how to restrict access to native components, on-device data, and more.
Links
PasswordStrengthExample - my demo from the talk comparing running password strength calculation natively, in WebView and with JavaScriptEngine:
https://github.com/balazsgerlei/PasswordStrengthExample
My SecureWebView library:
https://github.com/balazsgerlei/SecureWebView
Executing JavaScript and WebAssembly with JavascriptEngine:
https://developer.android.com/develop/ui/views/layout/webapps/jsengine
HackTricks - Webview Attacks:
https://book.hacktricks.wiki/en/mobile-pentesting/android-app-pentesting/webview-attacks.html
Application Security Cheat Sheet - WebView Vulnerabilities:
https://0xn3va.gitbook.io/cheat-sheets/android-application/webview-vulnerabilities