WebView

As part of the Android, Google ships WebView, which is used to render HTML, CSS, and JavaScript. This is one of the standard views in Android Open Source Project (some others being TextView, EditText, Spinner, and ImageView). Privacy Browser uses WebView to render websites. If you do not have WebView on your system, Privacy Browser will crash when it starts.

WebView is released under a mix of LGPL and variations of the BSD licenses, and is currently built from the same codebase as Google’s Chromium project. It uses the Blink rendering engine and the V8 JavaScript engine. Because there are frequent security issues with WebView that need to be patched in a timely manner, beginning in Android 5.0 Google redesigned how Android handled WebView so that it could be updated via an APK through the Google Play Store.  When an update is installed, Android uses it instead of whatever version shipped with the ROM. As far as I know this is the only one of Android’s views than can be updated in this way.

Beginning with Android 7.0 and ending with Android 10, Google allowed the Chrome APK to provide the system WebView (Chromium, which is part of Chrome, and WebView are built from the same codebase). However, they are not the same. At lease one user was able to resolve frequent crashing by switching from Chrome to WebView. If Chrome is installed, WebView will automatically be disabled. If Chrome is uninstalled or disabled, WebView will be re-enabled and can receive updates from Google Play. If you have developer options enabled, you can see which source your WebView implementation comes from.

Beginning with Privacy Browser 3.1, About > Version now displays the WebView provider on devices running Android Oreo (8.0, API 26) or higher—Android Lollipop (5.0, API 21) or higher beginning with Privacy Browser 3.5.

From time to time I am contacted by someone who is having problems with Privacy Browser because they don’t have a functioning WebView on their system. Usually these are people with root access to their devices who have manually remove a bunch of Google software because they don’t like Google spying on them (a worthy endeavor). Typically they don’t realize the WebView is fully open source and a part of Android in a way that Google Play Service, Gmail, Google Photos, and other closed source Google apps are not.

To restore WebView you can use Yalp or Aurora to download the Android System WebView APK. Bromium also provides a fork of Android’s WebView called SystemWebView that might be worth trying. SystemWebView is open source, but I have not spent the time to inspect their code myself and users are advised to do their own research before deciding whether to trust them.

As part of Privacy Browser’s 4.x series, I am planning to create my own fork of WebView called Privacy WebView. This will allow greater control over JavaScript, cookies, DOM storage, browser fingerprinting, and other privacy features that currently cannot be managed with Android’s WebView.

5 replies on “WebView”

Hello,

I wanted to open a ticket about this in the bugtracker, but since yesterday it seems to be down. So I will post it here, hopefully you will notice this 🙂

Older versions of Android, as well as custom roms, cannot update Webview (trust me, I tried Yalp option, Bromite option, tried using /system/app Mover, I messed with the /system apks, nothing works).
Consider packing a current webview version to be used by the Privacy Browser app itself. I don’t mean the future PrivacyView fork, I mean merely a current and up to date version of WebView. Chromium can bring it’s own version and use it, I believe Privacy Browser could do the same?
Thanks in advance.

GNUser

Although it would be wise to say that one of issues in my device is that it doesn’t have NEON support. DUnno if it affects anything or not 🙂

Yes, the bug tracker was down due to the following bug, but it is now back up: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953205.
Regarding the packaging of WebView inside of Privacy Browser, I have no intent of undertaking an effort like that. The time commitment would be significant and would eclipse the entire amount of time I am currently able to spend on Privacy Browser, meaning that all other development would grind to a halt.
If you are using a device that is so old it cannot get updates to WebView, and if you care significantly for your privacy, you should consider upgrading to a newer device. Any version of Android outside security updates is likely to be compromised from multiple angles.

Today I was able to use the tracker again. Great news!

I was unaware it would be so much work, nevermind it then.
What do you mean by “compromised from multiple angles”?

Thanks.

If you are using a version of Android that is so old it is having issues updating to current versions of WebView, there are literally hundreds of known vulnerabilities in every aspect of the platform, from the kernel, to the baseband, to the radio, to the media processors, to the encryption cipher suites, and on and on. Anyone who wants to hack your phone can do it fairly easily without you ever knowing it. There is very little Privacy Browser can do to protect you under those circumstances.

Leave a Reply

Your email address will not be published. Required fields are marked *