mohanajuhi166
commented
7 months ago @lalitparkale , embedded web views w.r.t to this packages ,allows a developer to retain the UI/UX experience for authentication & authorisation without redirecting to the native browser (this is a requirement of many app developers where users don't really want the experience of navigating on the browser but instead want a in app experience.
With respect to security, this package provides the bare minimum and basic implementation to setup the webview to achieve the above experience.We can of course add additional layers of security checks to the implementation , which should suffice for the warning given from google. Some of them are. disabling javascript, having multi factor authentication, denying access to any files . In one of our implementation , we enabled multi factor authentication and added a security library to further enhance the support of web views.
Embedded web view, in my opinion ,provides a solution to cater to UX experience, which cannot be avoided. Hope this answer provided some reasoning to the above question.
hi there,
I configured and tested the Azure AD B2C setup for Microsoft and Google logins. It worked. When i use the ADB2CEmbedWebView from my Android code, Microsoft login works, but Google login errors out with “403 disallowed_useragent,”.
On google's support website, it clearly states that "_Embedded WebViews puts your security at risk because they could let third parties access and change communications between you and Google.".
update: 7/3/24 - After enabling Facebook access, get the same message "logging in to Facebook from an embedded browser is disabled".
Does this mean its not a good practice to use Embedded webviews? @mohanajuhi166 would be keen to get your thoughts