According to Google, you should not use addJavascriptInterface with untrusted code (by "untrusted" they mean anything not bundled with your app) and if you do so it may cause the app to be removed from the Play Store. My understanding is that this is due to security vulnerabilities around JavaScript being able to call methods using reflection. However these were remediated in API 17 as any method called from JavaScript must be annotated with @JavascriptInterface. My app has minSdkVersion of 21, so I feel this policy is not applicable. I am only exposing some basic functions which display toast messages.
I have not yet tried to publish the code which uses addJavascriptInterface as it's still being tested. However, as Google doesn't provide any way to check your app before you get to publication, I am not sure if this code will be blocked.
As an alternative I am looking into using createWebMessageChannel as an alternative to addJavascriptInterface, following this answer. While it is ostensibly more secure, it doesn't support API < 23 (so for me that would be API 21-22 which couldn't use this solution), and it also seems unnecessarily complicated for what I'm trying to do.
For apps with minSdkVersion > 17, can we still expect the app to be blocked from Play Store due to the above policy?
