WebView is an Embedded user-agent and typically a web browser UI component that can be embedded in apps to render web pages.


That depends on how you use WebView with your app.

For example, GMail app uses WebView to view emails in a very safe way. The major risks comes from loading arbitrary 3rd-party content into your WebView.

System browsers deal with this problem by sandboxing web pages inside separate processes, so even if the page code exploits some security vulnerability of the rendering engine and gains control over it, it still would not be able act on behalf of the System browsers. WebView is single-process, so any security vulnerability in the renderer engine practically grants any malicious code the same rights as your application has.

Loading in an iframe will not help if the page is exploiting some renderer vulnerability via JavaScript. If you don't fully trust your third party, you should not use any code from them.

So basically, the rule for safe WebView use is to only load trusted content. If you need to display user-provided content, accept plain text only and sanitize it. Avoid enabling JavaScript. Target the most recent API level.

The preferred method is to make use of the External User-Agent

More Information#

There might be more information for this subject on one of the following: