可以使用JavascriptInterface, 具体看WebView的addJavascriptInterface方法:
https://developer.android.goo... java.lang.String).不过17以前存在漏洞,JS可以通过反射获取到App的公开属性和方法,并使用App已有的权限
This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for apps targeting JELLY_BEAN or earlier. Apps that target a version later than JELLY_BEAN are still vulnerable if the app runs on a device running Android earlier than 4.2. The most secure way to use this method is to target JELLY_BEAN_MR1 and to ensure the method is called only when running on Android 4.2 or later. With these older versions, JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application. Use extreme care when using this method in a WebView which could contain untrusted content.
可以使用这个JSBridge, 不过这个用了以后就不能使用WebView.setWebViewClient()方法:
https://github.com/lzyzsd/JsB...
如果功能简单的话, 参考上面JSBridge的思路, 可以自定义实现WebView的alert方法,用了传事件
话说SF怎么知道我刚刚弄了Android和JS交互?