That said, I hacked around to see if injecting Javascript on the WebView was possible and it was, with a bit of change I could actually get the user name and password of the victim by making him/her uninstall Facebook on their phone and use FB login in my app.

Tonight, I had read an article on the security risk of using Facebook on Android. I am shocked at Kanwal’s discovery about WebView.

I will avoid using Facebook on Android.