Google Bolsters Security Features in WebView for Android

WebView in Android O will incorporate features that better protect the host app against browser-based threats.


Google has added a couple of security updates to the WebView feature in Android for displaying web content inside a mobile application.

The updates are designed to better protect mobile applications from browser-borne threats and will become available in the WebView that is integrated with Android O, the next version of the mobile operating system.

A webview basically gives mobile application developers a way to build apps that can display web pages and content without the user having to leave the application. Android's WebView is a sort of mini-version of Chrome running inside many Android mobile applications.

Developers use the feature for a variety of reasons such as enabling application login via a social media account or for letting users fill-up web forms right from within the application or for displaying a newsreader or catalog of items.

Can Build Hybrid Mobile Apps with It

Developers can also use WebView to build so-called hybrid mobile apps that combine web and native functionality. Such apps are built using both native code and web technologies such as HTML5 and JavaScript and are designed to provide users the best of both native app functionality and Web functionality.

Google has been delivering WebView as a separate application programming kit since the launch of Android Lollipop in 2014.

The new version of WebView that will become available with Android O has two security updates designed to enhance mobile application security.

Beginning with Android O, WebView will have the browser rendering function running in an isolated process and separately from the host application, said Xiaowen Xin and Renu Chaudhary, two members of the Android security team in a blog.

Other applications have been taking advantage of Android's ability to isolate processes for some time and WebView will as well when Android O starts shipping, Xin and Chaudhary said.

Harder for Malicious Exploits to Take Root

By splitting the rendering engine into a separate process, WebView insulates the host applications from bugs or crashes during the rendering process. "[That] makes it harder for a malicious website that can exploit the renders to then exploit the host application," the two Google security researchers said.

In order to mitigate this threat even more, the new WebView will run the renderer process within a sandbox that isolates and restricts the resources that can be accessed by the process even further. The rendering engine, for example, will not be able to write to disk or communicate directly with the network, Xin and Chaudhary noted.

The version of WebView that will be available with Android O will also incorporate Safe Browsing, a mechanism in Chrome that warns users when they arrive of potentially unsafe sites or sites that are not adequately protected.

The same warnings that are available to Chrome users will now be available via WebView to Android app users.

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.