7

I received a warning from Google Play Console that refers me to this page because I used JavaScript Interface in my app and suggest two options to solve the problem .

Option 1 tells :

Ensure that there are no objects added to the JavaScript interface of any WebView that loads untrusted web content. You can do this in two ways:

Ensure that no objects are ever added to the JavaScript interface via calls to addJavascriptInterface.

Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView.

but I can't understand what google exactly says specially on :

Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView

can someone tell me more explanation ?

Improve this question
4
  • I believe its saying that you should remove everything you added before you visit an http site (as opposed to an https site). Or better yet, not use any injections at all. Commented Dec 8, 2018 at 6:40
  • if google not allowed us to use injection then why this method exist ?! Commented Dec 8, 2018 at 9:03
  • Note that it says "for untrusted web content". If this is used for trusted content, then the method is still useful. That's why the method exists. Commented Dec 10, 2018 at 9:01
  • 1
    Yes , it says for "for untrusted web content" but how google will find out I'm using it for an ssl website or untrusted website ? Commented Dec 10, 2018 at 13:42

3 Answers 3

Reset to default
3

You can resolve this issue in following ways:

  1. If your website supports HTTPS, use "https://" prefix in loadUrl method.
  2. You can set android:usesCleartextTraffic to false in your Manifest or set a Network Security Config that disallows HTTP traffic. It also means that your website should run on HTTPS.

Now, coming to your question about "Remove objects from the JavaScript interface in shouldInterceptRequest via removeJavascriptInterface before untrusted content is loaded by the WebView" : It mean that your app should remove (or disable) JavaScriptInterface whenever there is any non HTTPS URL is loaded within the WebView.

After doing any of these, you need to update APK on Play Console.

Conclusion is that if you want to use JavaScriptInterface, better use HTTPS on your website. If you use HTTP, JavaScriptInterface won't be allowed by Google Play.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I faced the same problem, and have not been able to figure this out, either. What worked for me, documented in How to address "Remediation for JavaScript Interface Injection Vulnerability"?, was to use WebView.evaluateJavascript. Alas, that is not a full replacement for all use cases of JavascriptInterface, but maybe it's sufficient for your purposes.

Improve this answer

Comments

0

I just release an update without doing something special and warning disappeared BUT not sure it will came back again or not

Improve this answer

1 Comment

I hope to have explained your concern in my answer, it might help.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.