WebView inayoweza ku-display data salama kutoka kwa mtumiaji (XSS/Injection protection).
Data Encryption kwa SharedPreferences (kusimamia token/password).
Sanitize HTML, disable JS, na encryption ya data.
1. Project Structure
SafeWebViewApp/
├─ app/
│ ├─ src/
│ │ ├─ main/
│ │ │ ├─ java/com/example/safewebview/
│ │ │ │ └─ MainActivity.java
│ │ │ └─ res/
│ │ │ ├─ layout/
│ │ │ │ └─ activity_main.xml
│ │ │ └─ values/
│ │ │ └─ strings.xml
│ └─ build.gradle
└─ build.gradle
2. activity_main.xml
<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:orientation="vertical"
android:padding="16dp"
android:layout_width="match_parent"
android:layout_height="match_parent">
<EditText
android:id="@+id/inputField"
android:hint="Andika message yako"
android:layout_width="match_parent"
android:layout_height="wrap_content"/>
<Button
android:id="@+id/loadButton"
android:text="Onyesha WebView"
android:layout_width="wrap_content"
android:layout_height="wrap_content"/>
<WebView
android:id="@+id/webView"
android:layout_width="match_parent"
android:layout_height="0dp"
android:layout_weight="1"/>
</LinearLayout>
3. MainActivity.java
package com.example.safewebview;
import android.os.Bundle;
import android.text.Html;
import android.view.View;
import android.webkit.WebSettings;
import android.webkit.WebView;
import android.widget.Button;
import android.widget.EditText;
import androidx.appcompat.app.AppCompatActivity;
import androidx.security.crypto.EncryptedSharedPreferences;
import androidx.security.crypto.MasterKey;
import java.io.IOException;
import java.security.GeneralSecurityException;
public class MainActivity extends AppCompatActivity {
private WebView webView;
private EditText inputField;
private Button loadButton;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
webView = findViewById(R.id.webView);
inputField = findViewById(R.id.inputField);
loadButton = findViewById(R.id.loadButton);
// **WebView Settings**
WebSettings webSettings = webView.getSettings();
webSettings.setJavaScriptEnabled(false); // Disable JS kwa usalama
loadButton.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
String userInput = inputField.getText().toString();
// **Sanitize input** kuzuia XSS
String safeInput = Html.escapeHtml(userInput);
webView.loadData(safeInput, "text/html", "UTF-8");
// **Save input securely using EncryptedSharedPreferences**
saveSecureData("last_message", userInput);
}
});
}
private void saveSecureData(String key, String value) {
try {
MasterKey masterKey = new MasterKey.Builder(this)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build();
EncryptedSharedPreferences securePrefs = EncryptedSharedPreferences.create(
this,
"secure_prefs",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
);
securePrefs.edit().putString(key, value).apply();
} catch (GeneralSecurityException | IOException e) {
e.printStackTrace();
}
}
}
4. build.gradle (Module: app)
Hakikisha umeongeza dependency ya AndroidX Security Library:
dependencies {
implementation 'androidx.security:security-crypto:1.1.0-alpha03'
implementation 'androidx.appcompat:appcompat:1.6.1'
implementation 'androidx.constraintlayout:constraintlayout:2.1.4'
}
5. Jinsi inavyofanya kazi
Mtumiaji anaandika message kwenye EditText.
App inasanitize input (escape HTML) kuzuia XSS.
WebView inaonyesha message salama.
Data pia inahifadhiwa kwa usalama katika EncryptedSharedPreferences.
JavaScript imezimwa ili kuzuia script hatarishi kuendesha ndani ya WebView.
Links Muhimu za Kusaidia
Android WebView Documentation
Android EncryptedSharedPreferences
OWASP Mobile Security Project
SQLCipher for Android