Latest WebView Introduces Isolated Renderer Process And In-App Safe Browsing
Google released a short review of the changes in the latest version of WebView. Android WebView is a system component for Android allows Android apps to display content from the web directly inside an application.
Starting with Android Lollipop, Google decided to distribute WebView as an independent APK updated from the Play Store every six weeks. The goal is to deliver critical fixes to the users quickly, as the service had seen some serious security conundrums. The newest version of the app brings a couple of important security enhancements as well.
Google will publish Android O later this summer. Alongside the release, WebView will have the renderer running in an isolated process separate from the host app, taking advantage of the isolation between processes provided by Android that has been available for other applications.
- The rendering engine has been split into a separate process. This insulates the host app from bugs or crashes in the renderer process and makes it harder for a malicious website that can exploit the renderer to then exploit the host app.
- To further contain it, the renderer process is run within an isolated process sandbox that restricts it to a limited set of resources. For example, the rendering engine cannot write to disk or talk to the network on its own.
It is also bound to the same seccomp filter as used by Chrome on Android. The seccomp filter reduces the number of system calls the renderer process can access and also restricts the allowed arguments to the system calls.
Finally, the newest version of WebView allows third-party applications to use the Safe Browsing features. According to the blog entry, information or notice warning of possibly malicious websites is displayed over 250 million times a month. With a simple manifest tag, you can enable the Safe Browsing in your app. You can learn which code you need to add by visiting the Android Developers Blog.
The latest version of WebView should soon be available in the Google Play store.
Source: Android Developers Blog