If you are the type of Android user that messes around with pre-installed app content, most probably you came across the Android System WebView. Android WebView represents an important part of the Android Operating System and a package that receives constant updates. Today, we will discuss what Android WebView actually is and what is responsible for in Google’s Operating System.
In the era of Internet services, every Operating System must provide a way to integrate web content into native Application interfaces. Displaying full website content inside an app can greatly reduce App development times. Moreover, web apps are far easier to create than native ones and can also be Operating System agnostic.
Google’s solution for displaying web content inside apps is the Android WebView. Using WebView, an app developer can display a complete website inside their app, without the need of opening links in the System’s Web Browser. To make things more interesting, Google added some extra functionality inside WebView: Specially designed websites can call native Android functions through the WebView, in an effort to improve the user’s experience (for example a website can display a native Android dialog to ask confirmation from the user).
Some Historical Facts
WebView has been included in Android since its early days. At first, it shipped as a system component of the Operating System. A major incident took place on ย January 12th, 2015: Independent researchers Rafay Baloch and Joe Vennix uncovered 11 exploits to the Android WebView. These exploits affected all versions of Android Operating System up to the then latest Android Jelly Bean.
In a controversial move, Google chose to not patch the current WebView implementation, as it was just not possible to send the updated code to all currently shipping Android devices. Costs to OEMs would be enormous. This decision left a huge number of devices vulnerable to serious attacks.
Google came up with a new implementation of WebView on Android KitKat, based on WebKit (and subsequently on Blink). At first, WebView shipped as part of the Android framework, which meant that updating it would require a complete firmware upgrade. To make addressing bugs and security holes easier, Google separated the WebView from the rest of the Operating System on Android Lollipop. From Lollipop onward, Android WebView can be updated through the Google Play Store.
Don’t miss:ย View and Manage Every Aspect of Android with SystemPanel 2
Android System WebView Implementations
Like almost everything on Android, WebView became too complicated during the years of its development. Since Android Nougat, Google made Android WebView a part of Chrome Web Browser (Chrome version 51 onward). Both packages already shared much of their code, so merging them would decrease Application size and memory footprint.
However, a standalone implementation is still available on most ROMs, including custom ROMs (known as Android System WebView or Google WebView). This implementation takes over when Chrome is not installed or it is disabled by the user. Lastly, custom ROMs often provide their own implementation of WebView (known as AOSP WebView on LineageOS and friends), which is a stripped down version of Google’s implementation. AOSP WebView is based on Chromium code and lacks some proprietary features.
So, to sum up, three main implementations of WebView currently exist on Android:
- Android System WebView (or Google WebView)
- Chrome WebView (through the Google Chrome app)
- AOSP WebView
Nougat and later ROMs allow choosing which WebView implementation to use under Developer Options.
What can WebView Do?
- Render HTML content with latest web standards support
- Full-screen content rendering
- Zoom support
- JavaScript code execution
- Keep track of website history and cookies.
- Connect native Android functions with JavaScript functions. This allows Web apps to behave just like native Android apps. User preferences and data can be saved and fetched from the device storage.
It is even possible to create a complete Web Browser by utilizing Android’s WebView. A nice example is Lineage OS Jelly Web Browser. Jelly serves as a front-end adding special functionality to WebView.
Don’t Miss:ย How to Make Google Chrome Load Pages Faster on Your Android
Which WebView implementation should I use?
If you are using the Google Chrome Web Browser, the answer is simple: Just install one of the four variants of Google Chrome (stable, dev, beta, canary) and make sure you have the Chrome WebView implementation selected under Developer Options. This solution will save you some disk space and reduce memory usage. However, if you do not have Google Chrome installed on your device, you can only utilize the Google WebView.
Even if you are running a custom ROM, Google-provided implementations (Chrome and Android System WebView) might appear to work better than the AOSP implementation. AOSP implementation usually includes bugs and can also be back in terms of updates, since it is maintained in forked repositories by custom ROM developers. It usually comes installed as a System app and updating it requires a firmware update.
Whichever WebView implementation you choose to use, you should make sure that you update it often. A huge percentage of Android apps use WebView for simple or more complicated stuff. Security vulnerabilities in WebView can put sensitive user data at risk. Google tries to patch holes as soon as they are discovered and update their Play Store offerings.
Lastly, if your non-custom ROM has WebView implemented in a way it cannot get updates through the Play Store, make sure that you install one of the implementations mentioned above as a user app.
Android WebView Safety Concerns
Despite various bug-fixes over the years, there is one major safety concern about WebView: Allowing JavaScript code to access native Android functions gives a website great privileges. A specially crafted website could destroy or steal user data in a tick of time. There is no known way to filter access to Android internals through WebView yet. The only solution to avoid this type of attack is to only install trusted apps that implement WebViews. Open Source apps, which have their code readily available to read, are best candidates.
Related reading:ย Past and Future of the Linux Kernel on Mobile Devices
Many YouTube videos referencing Android System Webview are Hindu. Type in Indian Scammers in the YouTube search and you’ll see what makes the app Android System Webview suspect. I’m not pointing fingers or trying to be presumptuous …. it’s just an observation.
The writer of this article is not certainly a Hindu. ๐
Android Webview is a piece of shit whose current update crashes my native email app on an HTC One M8. I uninstall back to the factory version only to have the damn thing push its update back again that night. This has been going on for weeks and I’ve finally disabled the damn thing. If that causes issued or exploits, I’ll just out a hammer thru an otherwise stellar phone and jump.ship to the fruit phone brigade. Android can kiss my Pissed off and now unfunctional ass if they keep installing these time bomb apps just to force us into buying the next damn generation of a device.