Is it legit to inject javascript into WKWebview ?

Hi,

Declaration :

Apologies if this question is already answered somewhere else but I wam askng here so I can use it as proof.

Few context

  • I am working in an App which is fall under social media application/
  • In app there is a module which we use to load HTML urls (call ie in-app browser)
  • We want to monitor error occurred during user browsing HTML pages in in-app browser including JAVA-SCRIPT errors.

For above reason I am planning to inject below javascript in every HTML pages window.addEventListener('error', (error) => {    const message = { message: error.message, } window.webkit.messageHandlers.jserror.postMessage(message);

Questions Are

  1. Is it legit to inject above javascript into WKWebView where App fall under social media app ?
  2. Is there any security risk involve ?
Up vote post of jageen.shukla Down vote post of jageen.shukla
947 views
Posted by
jageen.shukla
Reply

  • What do you mean by "legit" ? What exactly are you asking?

    endecotp

  • Let me refresh

    I want to know will it cause any issue in AppleReview ?

    2 Will it cause any security risk.

    There is confusion in about my solution so wanted third opinion :D

    jageen.shukla

  • I want to know that, will it be causing any issue during review process OR Above solution will compromise user's security somehow ?

    jageen.shukla
Add a Comment

Replies

By legit I mean

  1. Will it cause any issue during apple review process
  2. Is above solution consider risky for user's security perspective ?
Posted by
jageen.shukla
Up vote reply of jageen.shukla Down vote reply of jageen.shukla
Add a Comment

Will it cause any issue during apple review process

Only App Review can give you definitive answers about what will or won’t be allowed on the App Store. Having said that, this overall technique is specifically allowed for in the WKWebView API and is commonly used.

Is above solution consider risky for user's security perspective ?

Yes. While WKWebView does put some limits on what you can do from injected JavaScript, using an in-app browser definitely exposes you to more risk than using Safari directly.

A more secure in-app browser experience is SFSafariViewController.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Thank you for your detail report. I am clear with #1.

    Regarding #2 Is above solution consider risky for user's security perspective ? I need more followups

    You said WKWebView is risky with compare to SFSafariViewController and I agreed. So it is ok to say that above script (Suggested in question) will not add any EXTRA risk if WKWebVew already in use ?

    FYI : WKWebView we are already using as in-app browser in my App, and debate is should we inject JS script or not.

    jageen.shukla

  • Thank

    jageen.shukla
Add a Comment

Declaration : Adding my comment as reply of eskimo's reply, as I am not able to make it as comment

Hi, @eskimo

Thank you for your reply and clarification.

Will it cause any issue during apple review process

RESOLVED

Is above solution consider risky for user's security perspective ?

So is my interpretation correct if I say,

This Solution will not increase any risk if WKWebView is already in user.

"There is confusion in our team regarding will it cause any issue for user or not ? :)"

Posted by
jageen.shukla
Up vote reply of jageen.shukla Down vote reply of jageen.shukla
Add a Comment