Memory leak: WebMessageListenerHolder retains KlaviyoWebView (removeWebMessageListener never called)

[esantamari-c-arlo]

Checklist

• I have read the contributing guidelines
• I have determined whether this bug is also reproducible in a vanilla Android project
• If possible, I've reproduced the issue using the master branch or latest release of this package.
• This issue hasn't been addressed in an existing GitHub issue or pull request.

Description

A memory leak occurs when dismissing Klaviyo in-app forms because WebViewCompat.removeWebMessageListener() is never called after registering a WebMessageListener.

As a result, WebMessageListenerHolder retains a reference to KlaviyoWebView, preventing the associated KlaviyoFormsOverlayActivity and its view hierarchy from being garbage-collected.

The issue was reproduced on version 4.1.0. A review of the SDK source code indicates that the missing cleanup is not implemented in newer versions or the current master branch.

Expected behavior

After KlaviyoFormsOverlayActivity is destroyed (form dismissed or unregisterFromInAppForms called), the KlaviyoWebView, its WebMessageListenerHolder, and the hosting Activity should be fully garbage-collected with no retained references.

Actual behavior

After dismissing an in-app form, WebMessageListenerHolder retains KlaviyoWebView, which in turn retains the destroyed KlaviyoFormsOverlayActivity and its entire view hierarchy.

LeakCanary reports the following reference chain:

WebMessageListenerHolder → KlaviyoWebView → KlaviyoFormsOverlayActivity → view hierarchy

Approximately 93 KB (1735 objects) are retained. The retained references persist for the lifetime of the process and accumulate if forms are repeatedly opened and dismissed, increasing the risk of memory pressure or OOM on low-memory devices.

Steps to reproduce

1. Initialize the Klaviyo SDK and register for in-app forms
2. Trigger an in-app form to display
3. Dismiss the in-app form (tap close or CTA)
4. Observe with LeakCanary or a heap dump that KlaviyoWebView is retained by WebMessageListenerHolder

The Klaviyo Android SDK version information

4.1.0

Device Information

Samsung Galaxy S22. Could not reproduce on OnePlus Open or emulators (API 28, 29, 33, 34)

Android Studio Version

Android Studio Otter 3 Feature Drop | 2025.2.3

Android API Level

36 (android 16)

[evan-masseau]

Thanks for reporting, I will take a closer look.
I will say right off that it is intentional that we do not destroy the WebView after a single form is shown and then dismissed. It is responsible for evaluating form eligibility in the background. So it is intentionally held in memory in order to potentially display another form if the user is targeted for another form later.
However, not calling removeWebMessageListener even on destroy is definitely an oversight that I can correct. Different vendors implement WebView differently under the hood, so some internals on Samsung's version may be retaining some reference that vanilla android does not -- could explain the inconsistent reproducibility!

[dan-peluso]

Hey @esantamari-c-arlo thanks again for your patience! We think we have a fix for this one and are starting to test on our end, but wanted to see if you were interested in testing as well!
rel~4.4.0-SNAPSHOT
If you use this SDK version, are you able to reproduce the issue? Again it's intentional we keep the webview in the background, but if you call unregisterFromInAppForms it should remove all references.

[evan-masseau]

By the way, that rel/4.40 branch also has a fix to roll back the version of androidx.core which inadvertently meant that the host app had to have updated to compileSdk 36.
The gradle syntax would be like this:

version.com.github.klaviyo.klaviyo-android-sdk..analytics=rel~4.4.0-SNAPSHOT
// ... same for all klaviyo packages you use