Posted by Xiaowen Xin and Renu Chaudhary, Android Security Team
The processing of external and untrusted content is often one of the most
important functions of an app. A newsreader shows the top news articles and a
shopping app displays the catalog of items for sale. This comes with associated
risks as the processing of untrusted content is also one of the main ways that
an attacker can compromise your app, i.e. by passing you malformed content.
Many apps handle untrusted content using WebView,
and we’ve made many improvements in Android over the years to protect it and
your app against compromise. With Android Lollipop, we started delivering
WebView as an independent APK, updated every six weeks from the Play store, so
that we can get important fixes to users quickly. With the newest WebView,
we’ve added a couple more important security enhancements.
Isolating the renderer process in Android O
Starting with Android O, WebView will have the renderer running in an isolated
process separate from the host app, taking advantage of the isolation between
processes provided by Android that has been available for other applications.
Similar to Chrome, WebView now provides two levels of isolation:
- The rendering engine has been split into a separate process. This insulates
the host app from bugs or crashes in the renderer process and makes it harder
for a malicious website that can exploit the renderer to then exploit the host
- To further contain it, the renderer process is run within an isolated
process sandbox that restricts it to a limited set of resources. For example,
the rendering engine cannot write to disk or talk to the network on its own.
It is also bound to the same seccomp filter (blogpost on seccomp is coming soon) as
used by Chrome on Android. The seccomp filter reduces the number of system calls
the renderer process can access and also restricts the allowed arguments to the
Incorporating Safe Browsing
The newest version of WebView incorporates Google’s Safe Browsing protections to detect
and warn users about potentially dangerous sites.. When correctly configured,
WebView checks URLs against Safe Browsing’s malware and phishing database and
displays a warning message before users visit a dangerous site. On Chrome, this
helpful information is displayed more than 250 million times a month, and now
it’s available in WebView on Android.
Enabling Safe Browsing
To enable Safe Browsing for all WebViews in your app, add in a manifest tag:
<manifest> <meta-data android:name="android.webkit.WebView.EnableSafeBrowsing" android:value="true" /> . . . <application> . . . </application> </manifest>
Because WebView is distributed as a separate APK, Safe Browsing for WebView is
available today for devices running Android 5.0 and above. With just one added
line in your manifest, you can update your app and improve security for most of
your users immediately.
Android Developers Blog