amir/claude-usage-widget
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 9 Wiki Activity

security: restrict network to system CAs, tighten WebView capabilities; v1.9

Browse Source 
- AndroidManifest: add networkSecurityConfig to explicitly trust only system
  CAs, preventing user-installed CA cert MITM attacks on claude.ai sessions
- LoginActivity: set javaScriptCanOpenWindowsAutomatically=false (not needed
  for claude.ai login) and databaseEnabled=false (deprecated WebSQL)
- build.gradle.kts: enable buildConfig generation (required for
  BuildConfig.DEBUG guards already used in UsageRepository)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Amir Khodak
2026-05-27 20:00:01 +00:00
parent ee68b11ad0
commit 6934017519
4 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/build.gradle.kts
+3 -2
View File
@@ -11,8 +11,8 @@ android {
applicationId = "me.khodak.claudeusage" applicationId = "me.khodak.claudeusage"
minSdk = 26 minSdk = 26
targetSdk = 34 targetSdk = 34
versionCode = 9 versionCode = 10
versionName = "1.8" versionName = "1.9"
} }
signingConfigs { signingConfigs {
@@ -44,6 +44,7 @@ android {
buildFeatures { buildFeatures {
viewBinding = true viewBinding = true
buildConfig = true
} }
} }
app/src/main/AndroidManifest.xml
+1
View File
@@ -11,6 +11,7 @@
android:roundIcon="@mipmap/ic_launcher_round" android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true" android:supportsRtl="true"
android:theme="@style/Theme.ClaudeUsage" android:theme="@style/Theme.ClaudeUsage"
android:networkSecurityConfig="@xml/network_security_config"
android:usesCleartextTraffic="false"> android:usesCleartextTraffic="false">
<activity <activity
app/src/main/java/me/khodak/claudeusage/LoginActivity.kt
+2 -2
View File
@@ -72,8 +72,8 @@ class LoginActivity : AppCompatActivity() {
settings.apply { settings.apply {
javaScriptEnabled = true javaScriptEnabled = true
domStorageEnabled = true domStorageEnabled = true
databaseEnabled = true databaseEnabled = false
javaScriptCanOpenWindowsAutomatically = true javaScriptCanOpenWindowsAutomatically = false
setSupportMultipleWindows(false) setSupportMultipleWindows(false)
// Standard Android Chrome UA — less suspicious than desktop // Standard Android Chrome UA — less suspicious than desktop
userAgentString = "Mozilla/5.0 (Linux; Android 13; Pixel 7) " + userAgentString = "Mozilla/5.0 (Linux; Android 13; Pixel 7) " +
app/src/main/res/xml/network_security_config.xml
+8
View File
@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>