Towards Understanding WebView Insecurities

About Our Research

We are a team of academic researchers from the Security & Privacy Research Unit at TU Wien, Austria. As part of an ongoing research project, we are investigating the security configurations of Android WebViews in apps.

WebViews are components that developers can embed in their applications to display web content. If configured improperly, they can introduce security vulnerabilities.

With our ongoing research, we aim to understand how WebViews are configured in apps in the wild and to shed light on why developers make certain choices regarding WebView settings. Furthermore, we are interested in the challenges developers face and to evaluate their understanding of WebView security implications, such as whether existing documentation and guidelines are sufficient.

Our ultimate goal is to help developers make informed decisions when configuring WebViews and to improve the overall security of their apps and the Android ecosystem.

Methodology

We performed an automated analysis of Android apps available on the Google Play Store to determine how developers configure WebViews. We now ask you to participate in a follow-up study to gather your knowledge and awareness regarding WebView security issues. You can access your report and take part in the survey below.

Developer Survey

We invite you to participate in a short survey (~10 minutes) that will greatly contribute to our academic research. Your responses will be solely used for academic research. Participation is voluntary, and you may skip any question or withdraw at any time without consequences.

To ensure the integrity of our research and provide the most accurate insights for all developers, we kindly request you complete the survey before accessing your personalized report. Your unbiased feedback is invaluable.

We greatly appreciate your time and input in helping us make the Android ecosystem more secure.

The survey will open in a new tab.

Personalized App Analysis Report

We have generated a report for you that summarizes potential security oversights in your apps, along with suggestions on how to improve them. The report is based on the analysis of your apps.

To view your personalized report, please click the button below. The report will open in a new tab.

Ethical Considerations

We did not perform any active attacks against apps, but rather conducted a static and dynamic analysis of the apps' WebView configurations. In certain cases, we performed manual validation of the issues identified by our automated analysis. Furthermore, we never accessed, collected, or retained user data at any stage of the research process.

Contact

If you have any questions, feedback, or concerns, please do not hesitate to contact us at webview-security@secpriv.tuwien.ac.at .

For research purposes, and in our legitimate interest, we are recording your IP address, your token, as well as if and when you have visited key pages on this website. This allows us to measure the effectiveness of our outreach efforts. You can find more information in our Privacy Policy.