What’s new in WebView security

Posted by Xiaowen Xin and Renu Chaudhary, Android Security Team

The processing of external and untrusted content is often one of the most
important functions of an app. A newsreader shows the top news articles and a
shopping app displays the catalog of items for sale. This comes with associated
risks as the processing of untrusted content is also one of the main ways that
an attacker can compromise your app, i.e. by passing you malformed content.

Many apps handle untrusted content using href="https://developer.android.com/reference/android/webkit/WebView.html">WebView,
and we've made many improvements in Android over the years to protect it and
your app against compromise. With Android Lollipop, we started delivering
WebView as an independent APK, updated every six weeks from the Play store, so
that we can get important fixes to users quickly. With the newest WebView,
we've added a couple more important security enhancements.

Isolating the renderer process in Android O

Starting with Android O, WebView will have the renderer running in an isolated
process separate from the host app, taking advantage of the isolation between
processes provided by Android that has been available for other applications.

Similar to Chrome, WebView now provides two levels of isolation:

  1. The rendering engine has been split into a separate process. This insulates
    the host app from bugs or crashes in the renderer process and makes it harder
    for a malicious website that can exploit the renderer to then exploit the host
  2. To further contain it, the renderer process is run within an isolated
    process sandbox that restricts it to a limited set of resources. For example,
    the rendering engine cannot write to disk or talk to the network on its own.

    It is also bound to the same seccomp filter (blogpost on seccomp is coming soon) as
    used by Chrome on Android. The seccomp filter reduces the number of system calls
    the renderer process can access and also restricts the allowed arguments to the
    system calls.

Incorporating Safe Browsing

The newest version of WebView incorporates Google's href="https://safebrowsing.google.com/">Safe Browsing protections to detect
and warn users about potentially dangerous sites.. When correctly configured,
WebView checks URLs against Safe Browsing's malware and phishing database and
displays a warning message before users visit a dangerous site. On Chrome, this
helpful information is displayed more than 250 million times a month, and now
it's available in WebView on Android.

Enabling Safe Browsing

To enable Safe Browsing for all WebViews in your app, add in a manifest tag:

<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
android:value="true" />
. . .
<application> . . . </application>

Because WebView is distributed as a separate APK, Safe Browsing for WebView is
available today for devices running Android 5.0 and above. With just one added
line in your manifest, you can update your app and improve security for most of
your users immediately.

Related Posts

Subscribe Our Newsletter