Android Login app using web scraping with a background WebView

Question

I am facing a problem with a login system for a web-based Android app (HTTPS connection with CA, TLS 1.0 128bit cypher). So, The aplication has its own login screen/activity (two EditText for the username and password) and the user should be able to log into the web through that window (without showing the WebView or similar). Then the application will update its UI, showing a number of features plus the logout/exit button. Well, the problem here is that I don't have a webservice at my disposal to authenticate the user... tricks of the trade T_T.

The truth is this this a mess caused by the site's admin, because this should be done with a webservice and sharing the token/session data. If someday the code of the web is modified... then the login is gonna fail for sure. This is not serious (or a secure practice) at all.

  Also, I have another issue because if the user type the wrong login although once, an evil captcha appears. We can avoid it by closing and open the browser again; after each attempt. Considering all possibilities, then the most 'viable' solution consist of web-scraping the Javascript code on the web, fill out the URL login user/password form fields (.do) and send it to the web. Thinking about the process steps, I have some doubts to implement that behavior in Android. Ideas/advices will be appreciated. So, there we go.. my initial approach would be:

1. Perform the HTTPS connection. This should validate the certificate. I thought about doing something like this. Download the certificates in base64 (.cer), then generate the keys and use them in the app. Two questions:         

   • If the web certificate expires, do you need to re-generate the keystore and add them into the app code again?.       
   • Is there anyway to automate this process downloading them programmatically and validating the CA?.

2. Create a dummy Webview (without showing it) and enable the Javascript. It'll serve to inject .js in the web (the user and pass from the EditText fields) and use the submit button on the web. Load the URL where the login form and validate it is. Question:

     - I need to clear the webview's cache, including cookies after submitting the form in order to avoid the captcha when the user try again... in this particular case, is enough to disable the cache? (weview.clearCache (true)). I think I need to play with the onPageFinished method to control that with a firstAttemp boolean var or similar...

3. Once you submit the form, the Javascript use a label 'error', with which you could check if the login was successful or not. Using the Javascript Interface finding the class tag with something like:

   document.getElementsByClassName('error')[0].innerHTML

4. If the login is correct, then save the user in the shared data file using AES encryption.

Here some code:

    isSumitted = false;
    String user = editUser.getText().toString();
    String password = editPass.getText().toString();

    // empty fields checking 
    // here we can do other checks (size, characters...)
    // maybe create a LoginFormatException...
    if (user.isEmpty() || password.isEmpty()) {
        Util.alertaAcept(getActivity(), "Error:", getResources()
                .getString(R.string.rellene_usuario_contr));
        return;
    }

    // Authenticate by using a Webview in the background 
    WebView myWebView = new WebView(getActivity());
    WebSettings settings = myWebView.getSettings();       
    settings.setJavaScriptEnabled(true);
    //settings.setSavePassword(false); <--- deprecated
    settings.setSaveFormData(false);
    settings.setCacheMode(WebSettings.LOAD_NO_CACHE);
    settings.setAppCacheEnabled(false);

    // JavaScript to inject in the webview
    final StringBuilder jsCode = new StringBuilder()
    .append("javascript: {")
    .append("document.getElementById('logname')[0].value = '"+ user +"';")
    .append("document.getElementById('passtext')[0].value = '"+ password +"';");
    .append("document.getElementById('Submit').click();");

myWebView.setWebViewClient(new WebViewClient() {
    public void onPageFinished(WebView view, String url) {                  
       if (!isSubmitted) {      
            // if first attempt
            // fill the fields and submit               
            view.loadUrl(jsCode.toString());
            myWebView.loadUrl(URL_ACCESO);
            isSubmitted = true;             
       }else{
            // check if the login was correct               
            // by getting the response from js "document.getElementsByClassName('error')[0].innerHTML;";
            if(errorResponse.equalsIgnoreCase("")){
                 // logged OK
                 logged = true;                  
                  // then encrypt user & pass with proper suites and save the data in the shared preference file:                                                   
             }
              else{
                  // show an AlertDialog with something like "Sorry, you have fail this code" or whatever you want...
                  //now, delete the browser's cache
                  //and delete cached requests or cookies if necessary
             }          
          }         
      });       

Answer 1

Use web scraping tools in Android and work out with the code. Try this solution:

https://github.com/emirkin/bobik_java_sdk

The following tools and code resources can come handy to your use :

https://code.google.com/p/android-scripting/source/browse/rhino/rhino1_7R2.jar?r=835425b4ac473f2a2acfe9c4c2b92343f31b36ec

http://zscraper.wordpress.com/2012/07/03/a-comparison-shopping-android-app-without-backend/

https://gist.github.com/emirkin/3041523