Is a secure cookie (httponly cookie) readable on the native-app website (android, iOS)?

Let's say I have a web application that uses an ajax httponly cookie to store a login session (token). I wonder if I add my web app to a native client (Android or ios webview), does the cookie protect unreadable anyway? Because I just found out that Android has a CookieManager capable of reading cookies from a webview.

The main problem is that I want to store the user's access token in a cookie or somewhere in the user's browser. I want to make sure that no matter what environment (regular chrome or safari, or in a native webview application) the user stores the user's token, it remains secure and unreadable for XSS or any other hacker attack. Is there a way to do this?