Jinsi ya Kuzuia XSS/Injection katika WebView na Data Encryption

WebView inayoweza ku-display data salama kutoka kwa mtumiaji (XSS/Injection protection).

Data Encryption kwa SharedPreferences (kusimamia token/password).

Sanitize HTML, disable JS, na encryption ya data.

1. Project Structure
SafeWebViewApp/
├─ app/
│ ├─ src/
│ │ ├─ main/
│ │ │ ├─ java/com/example/safewebview/
│ │ │ │ └─ MainActivity.java
│ │ │ └─ res/
│ │ │ ├─ layout/
│ │ │ │ └─ activity_main.xml
│ │ │ └─ values/
│ │ │ └─ strings.xml
│ └─ build.gradle
└─ build.gradle

2. activity_main.xml
<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android&quot;
android:orientation="vertical"
android:padding="16dp"
android:layout_width="match_parent"
android:layout_height="match_parent">

<EditText
android:id="@+id/inputField"
android:hint="Andika message yako"
android:layout_width="match_parent"
android:layout_height="wrap_content"/>

<Button
android:id="@+id/loadButton"
android:text="Onyesha WebView"
android:layout_width="wrap_content"
android:layout_height="wrap_content"/>

<WebView
android:id="@+id/webView"
android:layout_width="match_parent"
android:layout_height="0dp"
android:layout_weight="1"/>

</LinearLayout>

3. MainActivity.java
package com.example.safewebview;

import android.os.Bundle;
import android.text.Html;
import android.view.View;
import android.webkit.WebSettings;
import android.webkit.WebView;
import android.widget.Button;
import android.widget.EditText;

import androidx.appcompat.app.AppCompatActivity;
import androidx.security.crypto.EncryptedSharedPreferences;
import androidx.security.crypto.MasterKey;

import java.io.IOException;
import java.security.GeneralSecurityException;

public class MainActivity extends AppCompatActivity {

private WebView webView;
private EditText inputField;
private Button loadButton;

@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);

webView = findViewById(R.id.webView);
inputField = findViewById(R.id.inputField);
loadButton = findViewById(R.id.loadButton);

// **WebView Settings**
WebSettings webSettings = webView.getSettings();
webSettings.setJavaScriptEnabled(false); // Disable JS kwa usalama

loadButton.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
String userInput = inputField.getText().toString();

// **Sanitize input** kuzuia XSS
String safeInput = Html.escapeHtml(userInput);

webView.loadData(safeInput, "text/html", "UTF-8");

// **Save input securely using EncryptedSharedPreferences**
saveSecureData("last_message", userInput);
}
});
}

private void saveSecureData(String key, String value) {
try {
MasterKey masterKey = new MasterKey.Builder(this)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build();

EncryptedSharedPreferences securePrefs = EncryptedSharedPreferences.create(
this,
"secure_prefs",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
);

securePrefs.edit().putString(key, value).apply();

} catch (GeneralSecurityException | IOException e) {
e.printStackTrace();
}
}
}

4. build.gradle (Module: app)

Hakikisha umeongeza dependency ya AndroidX Security Library:

dependencies {
implementation 'androidx.security:security-crypto:1.1.0-alpha03'
implementation 'androidx.appcompat:appcompat:1.6.1'
implementation 'androidx.constraintlayout:constraintlayout:2.1.4'
}

5. Jinsi inavyofanya kazi

Mtumiaji anaandika message kwenye EditText.

App inasanitize input (escape HTML) kuzuia XSS.

WebView inaonyesha message salama.

Data pia inahifadhiwa kwa usalama katika EncryptedSharedPreferences.

JavaScript imezimwa ili kuzuia script hatarishi kuendesha ndani ya WebView.

Links Muhimu za Kusaidia

Android WebView Documentation

Android EncryptedSharedPreferences

OWASP Mobile Security Project

SQLCipher for Android