Maintaining good security
It is important to be aware that exchanging messages between JavaScript and Java can have various security implications. It is vital, therefore, that the developer considers fully which web pages may be loaded inside a nUIWebView or nUIWebviewElement, which messages may potentially be passed to and from that page, and how they are handled. The developer may wish to consider implementing some or all of the items on this non-exhaustive list:
Checking
Object.equals() on the
nUIWebView or
nUIWebviewElement making calls from JavaScript into Java.
Using
processURL() callbacks to create a URL whitelisting system and/or tracking the currently loaded web page.
Passing a
secret token into JavaScript from Java or an external server before accepting calls from JavaScript back into Java.
Disabling callbacks with a boolean until they are expected.
Obfuscating JavaScript code for release builds.
