Secure WebView Container (Android) - PoC

A security-focused Proof-of-Concept demonstrating a hardened Android WebView container loading a trusted web portal with strict navigation controls and a minimized Web ↔ Native JavaScript bridge.

This project was built to explore WebView security risks and platform-style controls (allowlisting, bridge hardening, mixed content blocking, safe browsing) in a realistic hybrid-app flow.

---

🔧 Tech Stack

• Android (Kotlin)
• Jetpack Compose UI
• Android System WebView (Chromium-based)
• GitHub Pages (hosted portal)

---

✅ What this PoC Demonstrates

1) Trusted Navigation (Domain Allowlisting)

• Only allows navigation to a trusted origin (GitHub Pages host)
• Blocks external domains from loading inside WebView
• External links can be opened via system browser (optional behavior)

2) Web ↔ Native Communication (JS Bridge)

A minimal JavaScript bridge is exposed as:

window.NativeBridge.* 

Supported methods:

getDeviceInfo() copyToClipboard(text) logEvent(eventJson) showToast(message)

3) JS Bridge Hardening (Origin-bound bridge)

Bridge calls are denied unless:

• Current page is HTTPS

• Host matches the allowlisted domain

4) WebView Security Hardening

Configured safe settings including:

• Mixed content blocked

• File/content access disabled

• Safe browsing enabled (Android O+)

• Popups/multiple windows disabled

🌐 Portal URL

This WebView loads a hosted portal:

https://adarshk11.github.io/secure-webview-portal/

▶️ How to Run

1. Clone this repo

2. Open in Android Studio

3. Ensure INTERNET permission exists in AndroidManifest.xml

4. Update allowlist host in:

   • isAllowedUrl(...)
   • NativeBridge.allowedHost

5. Run the app on emulator or real device

🧪 Test Scenarios

✅ Internal navigation

Home → Login → Profile should stay inside WebView

✅ External navigation blocked

Clicking https://example.com should be blocked (or opened in Chrome)

✅ JS Bridge functionality

• From the portal homepage:

• Get device info → shows device string

• Copy token → copies to clipboard + toast

• Log event → appears in Logcat

• Native toast → toast shown

🛡️ Security Notes (Summary)

• WebView navigation is restricted using allowlist checks

• JS bridge is hardened with origin checks (defense-in-depth)

• WebView attack surface reduced via safe default settings

See SECURITY_NOTES.md for deeper reasoning and threat model.

📌 Future Improvements (if productionized)

• Certificate pinning (where appropriate)

• CSP / Trusted Types on portal

• More robust logging + telemetry

• Permission gating for sensitive bridge actions

• Unit tests for URL policy enforcement