7.9 Follow WebView Best Practices
WebViews can introduce a number of security concerns and should be implemented carefully. In particular, a number of exploitable vulnerabilities arising from the use of the
addJavscriptInterface API have been discovered.
Disallow the loading of content from third-party hosts. This can be difficult to achieve from within the app. However, a developer can override shouldOverrideUrlLoading and shouldInterceptRequest to intercept, inspect, and validate most requests initiated from within a WebView. A developer may also consider implementing a whitelist scheme by using the URI class to inspect components of a URI to ensure it matches an entry within a list of approved resources.
See https://gist.github.com/scottyab/6f51bbd82a0ffb08ac7a for a snippet of sample code that includes some WebView security best practices.
Note that WebView does not honor the Android Manifest flag
android:usesCleartextTraffic which can help prevent an app from using cleartext network traffic (e.g., HTTP and FTP without TLS).