Authenticated Webviews in mobile apps

Problem statement

Sometimes when building a mobile application we cannot get the APIs in time or for some reason we can’t build it native cause of a compliance item we need to take care of in the app.

This means that we need to look at ways to get features in quickly and allow us the time to build out the plumbing required later. This means we would want to log into our identity management solution and allow the same tokens to be used to log us securely into a webview.

There are multiple ways to use WebViews in mobile apps. Here is a non-exhaustive explanation on how you can do that. I will try to cover both iOS and Android.

Ways to load web content in iOS

1. Opening the Safari app using UIApplication.shared.open(_:). The user is fully able to use their data(cookies, sessions, web storage & password autofill), but loses their context at the app. As it takes you out of the app into the Safari application.
2. Embedding a web view using WKWebView. In this way, developers can do many things such as customizing UI, reading cookies, and even injecting a script. But because of this, iOS does not share the data between Safari and WKWebView for security reasons. It means that the user has to login again to be authenticated unless the…