谷歌中国开发者社区 (GDG)
  • 主页
  • 博客
    • Android
    • Design
    • GoogleCloud
    • GoogleMaps
    • GooglePlay
    • Web
  • 社区
    • 各地社区
    • 社区历史
    • GDG介绍
    • 社区通知
  • 视频
  • 资源
    • 资源汇总
    • 精选视频
    • 优酷频道

What’s new in WebView security

2017-06-23adminAndroidNo comments

Posted by Xiaowen Xin and Renu Chaudhary, Android Security Team

The processing of external and untrusted content is often one of the most
important functions of an app. A newsreader shows the top news articles and a
shopping app displays the catalog of items for sale. This comes with associated
risks as the processing of untrusted content is also one of the main ways that
an attacker can compromise your app, i.e. by passing you malformed content.

Many apps handle untrusted content using WebView,
and we’ve made many improvements in Android over the years to protect it and
your app against compromise. With Android Lollipop, we started delivering
WebView as an independent APK, updated every six weeks from the Play store, so
that we can get important fixes to users quickly. With the newest WebView,
we’ve added a couple more important security enhancements.

Isolating the renderer process in Android O

Starting with Android O, WebView will have the renderer running in an isolated
process separate from the host app, taking advantage of the isolation between
processes provided by Android that has been available for other applications.

Similar to Chrome, WebView now provides two levels of isolation:

  1. The rendering engine has been split into a separate process. This insulates
    the host app from bugs or crashes in the renderer process and makes it harder
    for a malicious website that can exploit the renderer to then exploit the host
    app.
  2. To further contain it, the renderer process is run within an isolated
    process sandbox that restricts it to a limited set of resources. For example,
    the rendering engine cannot write to disk or talk to the network on its own.

    It is also bound to the same seccomp filter (blogpost on seccomp is coming soon) as
    used by Chrome on Android. The seccomp filter reduces the number of system calls
    the renderer process can access and also restricts the allowed arguments to the
    system calls.

Incorporating Safe Browsing

The newest version of WebView incorporates Google’s Safe Browsing protections to detect
and warn users about potentially dangerous sites.. When correctly configured,
WebView checks URLs against Safe Browsing’s malware and phishing database and
displays a warning message before users visit a dangerous site. On Chrome, this
helpful information is displayed more than 250 million times a month, and now
it’s available in WebView on Android.

Enabling Safe Browsing

To enable Safe Browsing for all WebViews in your app, add in a manifest tag:

<manifest>
     <meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
                android:value="true" />
      . . .
     <application> . . . </application>
</manifest>

Because WebView is distributed as a separate APK, Safe Browsing for WebView is
available today for devices running Android 5.0 and above. With just one added
line in your manifest, you can update your app and improve security for most of
your users immediately.

.blogimage img {
width: 100%;
border: 0;
margin: 0;
padding: 0;
}
.floatimage img {
float: right;
width: 45%;
}



Source: What’s new in WebView security

除非特别声明,此文章内容采用知识共享署名 3.0许可,代码示例采用Apache 2.0许可。更多细节请查看我们的服务条款。

Tags: Android

Related Articles

Calling all indie developers in the US & Canada: sign up for the Google Play Indie Games Festival in San Francisco

2017-07-12admin

5 tips for launching successful apps and games on Google Play

2017-03-24admin

Building with Google Pay

2018-05-17admin

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

Recent Posts

  • Admin Essentials: know your options for Modern Enterprise Browser Management
  • TheVentureCity and Google Consolidate Miami as a Tech Powerhouse
  • Keep a better eye on your Google Cloud environment
  • Using HLL++ to speed up count-distinct in massive datasets
  • Season of Docs Announces Results of 2019 Program

Recent Comments

  • admin on Using advanced Kubernetes autoscaling with Vertical Pod Autoscaler and Node Auto Provisioning
  • Martijn on Using advanced Kubernetes autoscaling with Vertical Pod Autoscaler and Node Auto Provisioning
  • Martijn on Using advanced Kubernetes autoscaling with Vertical Pod Autoscaler and Node Auto Provisioning
  • Chen Zhixiang on Concurrent marking in V8
  • admin on 使用 Android Jetpack 加快应用开发速度

Archives

  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • January 1970

Categories

  • Android
  • Design
  • Firebase
  • GoogleCloud
  • GoogleDevFeeds
  • GoogleMaps
  • GooglePlay
  • Google动态
  • iOS
  • Uncategorized
  • VR
  • Web
  • WebMaster
  • 社区
  • 通知

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

最新文章

  • Admin Essentials: know your options for Modern Enterprise Browser Management
  • TheVentureCity and Google Consolidate Miami as a Tech Powerhouse
  • Keep a better eye on your Google Cloud environment
  • Using HLL++ to speed up count-distinct in massive datasets
  • Season of Docs Announces Results of 2019 Program
  • Admin Insider: What's new in Chrome Enterprise, Release 79
  • Discover insights from text with AutoML Natural Language, now generally available
  • Introducing Storage Transfer Service for on-premises data
  • How Mynd uses G Suite to manage a flurry of acquisitions
  • W3C Trace Context Specification: What it Means for You

最多查看

  • 如何选择 compileSdkVersion, minSdkVersion 和 targetSdkVersion (25,381)
  • Google 推出的 31 套在线课程 (22,461)
  • 谷歌招聘软件工程师 (22,337)
  • Seti UI 主题: 让你编辑器焕然一新 (13,824)
  • Android Studio 2.0 稳定版 (9,420)
  • Android N 最初预览版:开发者 API 和工具 (8,036)
  • 像 Sublime Text 一样使用 Chrome DevTools (6,325)
  • 用 Google Cloud 打造你的私有免费 Git 仓库 (6,077)
  • Google I/O 2016: Android 演讲视频汇总 (5,609)
  • 面向普通开发者的机器学习应用方案 (5,539)
  • 生还是死?Android 进程优先级详解 (5,233)
  • 面向 Web 开发者的 Sublime Text 插件 (4,341)
  • 适配 Android N 多窗口特性的 5 个要诀 (4,311)
  • 参加 Google I/O Extended,观看 I/O 直播,线下聚会! (3,624)
© 2019 中国谷歌开发者社区 - ChinaGDG