To add some context to @slightlylate’s quoted tweet
: the issue is the `shouldInterceptRequest` method (
https://developer.android.com/reference/android/webkit/WebViewClient.html#shouldInterceptRequest(android.webkit.WebView,%20android.webkit.WebResourceRequest) …) that essentially allows any app to intercept (MITM) and rewrite traffic, even if loaded over HTTPS. Use ChromeCustomTabs, folks! Distrust WebView!https://twitter.com/slightlylate/status/1104964835362529283 …
-
-
If you know how to decompile Android apps (https://stackoverflow.com/questions/3593420/is-there-a-way-to-get-the-source-code-from-an-apk-file …) and the app in question hasn’t obfuscated the code, there is a chance you can search for occurrences of the `shouldIntercepRequest` calls. But I have no idea how feasible this is on an app like Facebook’s.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.