security: restrict network to system CAs, tighten WebView capabilities; v1.9

- AndroidManifest: add networkSecurityConfig to explicitly trust only system CAs, preventing user-installed CA cert MITM attacks on claude.ai sessions - LoginActivity: set javaScriptCanOpenWindowsAutomatically=false (not needed for claude.ai login) and databaseEnabled=false (deprecated WebSQL) - build.gradle.kts: enable buildConfig generation (required for BuildConfig.DEBUG guards already used in UsageRepository) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-27 20:00:01 +00:00
parent ee68b11ad0
commit 6934017519
4 changed files with 14 additions and 4 deletions
@@ -72,8 +72,8 @@ class LoginActivity : AppCompatActivity() {
            settings.apply {
                javaScriptEnabled = true
                domStorageEnabled = true
-                databaseEnabled = true
-                javaScriptCanOpenWindowsAutomatically = true
+                databaseEnabled = false
+                javaScriptCanOpenWindowsAutomatically = false
                setSupportMultipleWindows(false)
                // Standard Android Chrome UA — less suspicious than desktop
                userAgentString = "Mozilla/5.0 (Linux; Android 13; Pixel 7) " +