How much control do the app have over a web-view? Would it for example be able to log user input (steal passwords), or insert content (ads) ? Do the web view make it's own https request ?
The app can tell the webview: open this URL. That's pretty much it. Injecting could theoretically happen, but only by showing a page that looks like the original but isn't.
