From 69340175196f658c81f5ea2229187fa45dd832e5 Mon Sep 17 00:00:00 2001
From: Amir Khodak <amir.khodak@gmail.com>
Date: Wed, 27 May 2026 20:00:01 +0000
Subject: [PATCH] security: restrict network to system CAs, tighten WebView
 capabilities; v1.9

- AndroidManifest: add networkSecurityConfig to explicitly trust only system
  CAs, preventing user-installed CA cert MITM attacks on claude.ai sessions
- LoginActivity: set javaScriptCanOpenWindowsAutomatically=false (not needed
  for claude.ai login) and databaseEnabled=false (deprecated WebSQL)
- build.gradle.kts: enable buildConfig generation (required for
  BuildConfig.DEBUG guards already used in UsageRepository)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app/build.gradle.kts                                     | 5 +++--
 app/src/main/AndroidManifest.xml                         | 1 +
 app/src/main/java/me/khodak/claudeusage/LoginActivity.kt | 4 ++--
 app/src/main/res/xml/network_security_config.xml         | 8 ++++++++
 4 files changed, 14 insertions(+), 4 deletions(-)
 create mode 100644 app/src/main/res/xml/network_security_config.xml

diff --git a/app/build.gradle.kts b/app/build.gradle.kts
index 5cd6263..397eaf6 100644
--- a/app/build.gradle.kts
+++ b/app/build.gradle.kts
@@ -11,8 +11,8 @@ android {
         applicationId = "me.khodak.claudeusage"
         minSdk = 26
         targetSdk = 34
-        versionCode = 9
-        versionName = "1.8"
+        versionCode = 10
+        versionName = "1.9"
     }
 
     signingConfigs {
@@ -44,6 +44,7 @@ android {
 
     buildFeatures {
         viewBinding = true
+        buildConfig = true
     }
 }
 
diff --git a/app/src/main/AndroidManifest.xml b/app/src/main/AndroidManifest.xml
index 32ba4e7..9fd3276 100644
--- a/app/src/main/AndroidManifest.xml
+++ b/app/src/main/AndroidManifest.xml
@@ -11,6 +11,7 @@
         android:roundIcon="@mipmap/ic_launcher_round"
         android:supportsRtl="true"
         android:theme="@style/Theme.ClaudeUsage"
+        android:networkSecurityConfig="@xml/network_security_config"
         android:usesCleartextTraffic="false">
 
         <activity
diff --git a/app/src/main/java/me/khodak/claudeusage/LoginActivity.kt b/app/src/main/java/me/khodak/claudeusage/LoginActivity.kt
index d0dc859..356bc60 100644
--- a/app/src/main/java/me/khodak/claudeusage/LoginActivity.kt
+++ b/app/src/main/java/me/khodak/claudeusage/LoginActivity.kt
@@ -72,8 +72,8 @@ class LoginActivity : AppCompatActivity() {
             settings.apply {
                 javaScriptEnabled = true
                 domStorageEnabled = true
-                databaseEnabled = true
-                javaScriptCanOpenWindowsAutomatically = true
+                databaseEnabled = false
+                javaScriptCanOpenWindowsAutomatically = false
                 setSupportMultipleWindows(false)
                 // Standard Android Chrome UA — less suspicious than desktop
                 userAgentString = "Mozilla/5.0 (Linux; Android 13; Pixel 7) " +
diff --git a/app/src/main/res/xml/network_security_config.xml b/app/src/main/res/xml/network_security_config.xml
new file mode 100644
index 0000000..683208f
--- /dev/null
+++ b/app/src/main/res/xml/network_security_config.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+    <base-config cleartextTrafficPermitted="false">
+        <trust-anchors>
+            <certificates src="system" />
+        </trust-anchors>
+    </base-config>
+</network-security-config>