Remediation for OAuth via WebView

This information is intended for developers with app(s) that use WebViews for authentication.

What’s happening

One or more of your apps are using a WebView for authentication, which is not recommended. Using WebViews for OAuth 2.0 requests negatively affects both the security and usability of your app. Please review the steps below for ways to migrate your app from this method of authentication. Location(s) of OAuth 2.0 requests via WebViews in your app can be found in the Play Console notification for your app. If a location ends with “(in dynamically loaded code)” then the location is in code dynamically loaded by the app or by libraries used by the app. Applications typically use dynamically loaded code through on-demand feature delivery, though other unrecommended techniques exist (some unrecommended techniques also violate the Google Play policy and should not be used). Additionally, packers can transform application code into dynamically loaded code.

Fixing this issue is recommended but not mandatory. The publication status of your app will be unaffected by the presence of this issue.

Additional details

Since the release of Chrome Custom Tabs, Google has recommended that developers move away from using WebViews for authentication. Using OAuth for authentication in a WebView can make your app susceptible to security problems and hurt usability by disconnecting the user from single sign-on sessions. Chrome Custom Tabs mitigate these issues. 

Next steps

1. Update your app and fix “Usage of WebViews for Authentication” alerts using the steps below:

  1. Review your app for the location where an OAuth 2.0 request is done via WebView.
  2. Google recommends that developers replace this WebView with a Chrome Custom Tab. Please follow the steps in the Chrome Custom Tabs implementation guide to add a Chrome Custom Tab to your app.
  3. Use the added Chrome Custom Tab to now perform the OAuth 2.0 request.

2. Submit your updated APK

To submit an updated app bundle or APK:

  1. Go to your Play Console.
  2. Select the app.
  3. Go to the App bundle explorer.
  4. Select the non-compliant APK/app bundle's App version at the top right dropdown menu, and make a note of which releases they are under.
  5. Go to the track with the policy issue. It will be one of these 4 pages: Internal / Closed / Open testing or Production.
  6. Near the top right of the page, click Create new release. (You may need to click Manage track first)
  7. If the release with the violating APK is in a draft state, discard the release.
  8. Add the policy compliant version of app bundles or APKs.
  9. Make sure the non-compliant version of app bundles or APKs is under the Not included section of this release. For further guidance, please see the "Not included (app bundles and APKs)" section in this Play Console Help article.
  10. To save any changes you make to your release, select Save.
  11. When you've finished preparing your release, select Review release.
  12. If the non-compliant APK is released to multiple tracks, repeat steps 5-9 in each track.

During this time your new app or app update will be in a in review status until your request is reviewed. If the app has not been updated correctly, you will still see the warning. 

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our support team.


 

Was this helpful?

How can we improve it?
false
Main menu
7685731180037707278
true
Search Help Center
true
true
true
true
true
5016068
false
false