0

Earlier, I have uploaded an app to Play Market that used WebView and access local storage to sending files. Despite Google agreed to publish it, I have received an email that tells me to make my app not to access local storage. I didn’t update it, and it was banned soon.

Now I am uploading another app also with webview, but currently without local storage accessing. But I need it.

What should I do, to make my webview app accessing local storage, preventing it banned by Google?

App loads my site where everyone can post news, pinning photo or video.

  • App is loading the only one https:// url. There is no in-site links to others sites.

  • Also, currently my app uses android:usesCleartextTraffic="true". It is because at first I set in loadUrl() method http url and couldn’t load it. I googled how to fix that, and found two solutions - above, and changing url to https. I decided to use both, but seems, I can set usesCleartextTraffic to false, if it can help with my publishing problem.

Isociaisjh
  • 1
  • 1
  • 2
    You cannot do this because of the policy. What you can do is to create an intermediate view (Fragment / Activity) that will access local storage and then pass it to web view (but this is still under the risk). Could you tell more about why you need this? Maybe there are other solutions so far. – Oleg Novosad Feb 11 '21 at 08:51
  • @Array app loads my site where everyone can post news, pinning photo or video. – Isociaisjh Feb 11 '21 at 08:54
  • Yes, creating a mobile web view app that opens a website is not possible, you might want to convert it to real mobile app using react-native / flutter / ionic. Or export the API of your website to the app and implement application itself. – Oleg Novosad Feb 11 '21 at 09:07
  • @Array The only thing that gives a hope is this recommendation from Google Support: “If a WebView needs to enable these dangerous settings, you must ensure that it does not load untrusted web content. This includes web content loaded over HTTP. You can set android:usesCleartextTraffic=false or set a Network Security Config that disallows HTTP traffic in your Manifest. Alternatively, you can ensure that any WebViews with dangerous settings do not load any URLs with HTTP schemes. You should also ensure that WebViews with dangerous settings do not load URLs obtained from untrusted sources.“ – Isociaisjh Feb 11 '21 at 09:15

1 Answers1

0

I am the original poster, lost access to account.

For certain reason my newly uploaded webview app is not going to be banned.

What I’ve done, and what, may you do:

  1. WebView.loadUrl() loads only https urls.
  2. There is no java code that could be ran from js using webview.
  3. File Chooser code from @Rahul Khurana answer. All code for Android < KitKat was removed.
  4. In AndroidManifest.xml: android:usesCleartextTraffic="false"
  5. Obviously, do not make any kind malware shit as for software, as for site.

As far as I remember, last time, already after publishing I have received an email, and seems on Play Console also there was a message with issue about File-based XSS.

Currently, after few days after publishing I haven’t received any messages from Google Play

Thawbkisavv
  • 17
  • 5