Sort:  

Lets see, there are various ways to approach these particular issues.

  • typically, this issue has to do with hardware acceleration and plugin states. In the manifest file, make sure that you are using android:hardwareAccelerated="true" in the application tag. Also using the WebChromeClient, you can add WebSettings.PluginState.ON and WebSettings.PluginState.ON_DEMAND. If you are trying to load YouTube videos from online sources then you can also try adding meta data into the requests so that the device knows that it will be a video. You can also try building your own Iframe and then re-embedding the video into it with something like this:
using object tag
String html = "<object width='400' height='400' data=\"http://www.youtube.com/embed/<video-id>\"></object>"; 
  • Past API v17 there are considerable security increases against XSS, of course this doesn't mean you wont encounter some however. What I usually do, is force my shouldOverrideUrlLoading function to be limited to the domain of the website that I am visiting. With some of the 3rd party things like YouTube also included in this check. And if the incoming URL is not in the domain then I force android to launch an intent and typically that deals with most issues. This way I can validate the origin of all of the requests made in the application. shouldInterceptRequest is another method you can override if you want a bit more control over the resources that are on whatever webpage you are accessing. Just make sure to sanitize all inputs that might be susceptible to XSS (MiTM for instance) attacks as you would with any web app etc. I know there are some decent 3rd party librarys that can handle these things as well: OWASP for instance is a good one. jsoup can also help in some specific situations.

  • WebViews are slow as are hybrid apps. Its one of the more unfortunate things (i would prefer to write views in HTML then XML). You can try to set a higher render priority for your webviews via webview.getSettings().setRenderPriority(RenderPriority.HIGH); and you can enable and disable hardware acceleration for various things. You can even downgrade the HTML you are viewing using modifiers like body.lowquality * { filter: none !important; }.

If I had to build a semi-hybrid app like that I would probably use something that isn't a native android app like Dart's Flutter framework for the front-end. (I know that's probably more trouble then its worth at this point for you though). And then I would wire everything else that I could get via API into the native side of the app and use my own custom build UI elements. Anyways, I hope some of this helps you out.