Nobu Games, Thank you for your elaborate answer. This is precisely what I am doing. Injecting some JS code upon PageFinished and I inspect the HTML DOM for forms. I have been fairly accurate in finding out if the HTML page has a Login form. I can do a reasonably good accuracy with the no. of password fields in the form. One -> Signin 2-> ChangePwd 0 -> Regular page. Some questions - 1. Is there any straightforward event that is generated when a Submit happens inside the Webview ?
Thanks Mani On Friday, July 13, 2012 1:27:25 AM UTC+8, Nobu Games wrote: > > The way I see that in desktop browsers is that they are trying to identify > login forms in an HTML page with some kind of heuristic. There is no > standardized way for logging in a user on the Internet. A login form can > have various shapes, locations, layouts, identifiers assigned, so there is > no guarantee that this works all the time. But you can get pretty close to > a workable solution. > > So you need to be smart about it and develop heuristics that are able to > identify login forms in HTML pages. Usually login forms consist of an input > field that is labeled with something like "user name" or "email address". > And close to it is another input field of type "password". If you find > something like that in a form you know what you're dealing with and your > app needs to store these fields' names. > You also see that you need to support different languages for identifying > the user name field. You cannot expect that field to be labeled in English > all the time. > > For making it more solid you'll need to store a bit of context. Look for > the surrounding form tag and store its action attribute because this is a > sure way to find a login form again in an HTML document even when the > layout changed a bit. > > In any case, if you want to do that based on a WebView, I guess your best > bet is injecting some JavaScript code after the page is loaded. That > JavaScript code scans through the current page for finding all form tags > and tries to figure out, whether these forms are login forms according to > your heuristic. > > Your trojan JavaScript code needs to hook into the onSubmit event handlers > of these login forms, and when the user submits these forms, read both user > name and password and transfer that information to your app (see > documentation about binding JavaScript to your > app)<http://developer.android.com/guide/webapps/webview.html#BindingJavaScript>. > > Your app can then open a popup dialog and ask the user whether (s)he wants > to store these login credentials. > > When the user visits that page again, your trojan JavaScript needs to find > the matching login form again (by action attribute string for example / and > other heuristics, you need to experiment with) and automatically fill both > input fields for user name and password. > > Be aware that also the action string URL is not necessarily stable, > because some websites may add some random token to the URL parameter > string. You'll have to experiment with the identification of login forms > and find ways for supporting more and more websites over time. > > There is one possible deal-breaker however. I don't know whether WebView > allows reading password type input fields from JavaScript. It could be > turned off / disallowed for security reasons. If that's the case, you're > most likely not able to use WebView for your purposes, unless you're using > a proxy server that can read out your passwords. That opens a whole other > can of worms with all security implications and so on. Or if you're lucky > there is some way to intercept the HTTP requests created by WebView. But I > doubt that. > > By the way, since you are going to handle very sensitive user data, make > sure to encrypt that data based on a user password string. There are > sufficiently secure algorithms and implementations in Java out there. > > > On Wednesday, July 11, 2012 10:21:21 PM UTC-5, Mani wrote: >> >> Thanks to both for your answers, >> Yes, my use case is smth like password Vault. >> @Kris, I am able to keep users in the same tab. So thats not my worry. >> Have u seen LastPass, thats quite amazing. >> Well I dont think its snooping if you tell user that the app is meant to >> store/synch passwords across browsers or devices, like LastPass has done. >> I would appreciate if you can provide some on technical feasibility or >> direction on how this can be achieved.. >> >> Thanks >> Mani >> >> -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
