cordova-android icon indicating copy to clipboard operation
cordova-android copied to clipboard
verified publisher icon apache

AndroidInsecureFileModeEnabled and autofill password

Open Ekkaterinka opened this issue 6 months ago • 3 comments

Hello, In my native Cordova Android app, password autofill hints on the keyboard don’t work when filling out a form. All HTML tags are correctly specified. On iOS, everything works fine. However, if I set <preference name="AndroidInsecureFileModeEnabled" value="true" />, the password hints start working. This solution is not suitable for me.

How does AndroidInsecureFileModeEnabled affect password autofill, and what are some alternative ways to solve this issue?

Ekkaterinka avatar Jun 03 '25 12:06 Ekkaterinka

AndroidInsecureFileModeEnabled makes the webview use the file protocol which means your document origin will be null.

I can't say for certain but it's very likely that password autofills are tied to an origin so if the origin is null (as is the case for file://, blob://, data://, etc..) the autofill may be disabled.

By default this mode is turned off on android and the scheme will be https://localhost which will not only give your document an origin, but it will also be treated as a secure context. So it's definitely worth a try disabling the insecure file mode.

If you're migrating from insecure file mode it's also worth mentioning that your web storage containers will get a new "container" under your new origin, so all your old web storage will no longer be accessible by the webview. This includes stuff like Local Storage, IndexedDB, cookies, etc.

breautek avatar Jun 03 '25 13:06 breautek

Yes, it returns null, I caught that in the logs. But the thing is, the source of passwords is the keyboard, for example Gboard, Google Autofill. That is, the built-in autofill services of the phone itself.

Ekkaterinka avatar Jun 03 '25 13:06 Ekkaterinka

Yes, it returns null, I caught that in the logs. But the thing is, the source of passwords is the keyboard, for example Gboard, Google Autofill. That is, the built-in autofill services of the phone itself.

Like the browser, the webview does disable features if the document isn't loaded as a secure context, which the file:// protocol is considered insecure. I do not know if this is the actual cause in your case but I do know that device password managers does work over the WebViewAssetLoader (which is used when AndroidInsecureFileModeEnabled is disabled), at least it works on Samsung devices.

Samsung doesn't autofill though automatically, but you can select a stored credentials, which requires biometrics (then it will autofill).

breautek avatar Jun 07 '25 18:06 breautek