The way I see that in desktop browsers is that they are trying to identify login forms in an HTML page with some kind of heuristic. There is no standardized way for logging in a user on the Internet. A login form can have various shapes, locations, layouts, identifiers assigned, so there is no guarantee that this works all the time. But you can get pretty close to a workable solution.
So you need to be smart about it and develop heuristics that are able to identify login forms in HTML pages. Usually login forms consist of an input field that is labeled with something like "user name" or "email address". And close to it is another input field of type "password". If you find something like that in a form you know what you're dealing with and your app needs to store these fields' names. You also see that you need to support different languages for identifying the user name field. You cannot expect that field to be labeled in English all the time. For making it more solid you'll need to store a bit of context. Look for the surrounding form tag and store its action attribute because this is a sure way to find a login form again in an HTML document even when the layout changed a bit. In any case, if you want to do that based on a WebView, I guess your best bet is injecting some JavaScript code after the page is loaded. That JavaScript code scans through the current page for finding all form tags and tries to figure out, whether these forms are login forms according to your heuristic. Your trojan JavaScript code needs to hook into the onSubmit event handlers of these login forms, and when the user submits these forms, read both user name and password and transfer that information to your app (see documentation about binding JavaScript to your app)<http://developer.android.com/guide/webapps/webview.html#BindingJavaScript>. Your app can then open a popup dialog and ask the user whether (s)he wants to store these login credentials. When the user visits that page again, your trojan JavaScript needs to find the matching login form again (by action attribute string for example / and other heuristics, you need to experiment with) and automatically fill both input fields for user name and password. Be aware that also the action string URL is not necessarily stable, because some websites may add some random token to the URL parameter string. You'll have to experiment with the identification of login forms and find ways for supporting more and more websites over time. There is one possible deal-breaker however. I don't know whether WebView allows reading password type input fields from JavaScript. It could be turned off / disallowed for security reasons. If that's the case, you're most likely not able to use WebView for your purposes, unless you're using a proxy server that can read out your passwords. That opens a whole other can of worms with all security implications and so on. Or if you're lucky there is some way to intercept the HTTP requests created by WebView. But I doubt that. By the way, since you are going to handle very sensitive user data, make sure to encrypt that data based on a user password string. There are sufficiently secure algorithms and implementations in Java out there. On Wednesday, July 11, 2012 10:21:21 PM UTC-5, Mani wrote: > > Thanks to both for your answers, > Yes, my use case is smth like password Vault. > @Kris, I am able to keep users in the same tab. So thats not my worry. > Have u seen LastPass, thats quite amazing. > Well I dont think its snooping if you tell user that the app is meant to > store/synch passwords across browsers or devices, like LastPass has done. > I would appreciate if you can provide some on technical feasibility or > direction on how this can be achieved.. > > Thanks > Mani > > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
