April 1, 2018

The case against webviews

Many Android applications offer the use of an integrated browser. Under this name, which is not always clear to everyone, lies the notion of webview.

In this article, I will talk about those I know best, those of Android, but these findings also apply in whole or in part to other platforms: gtk, qt, iOS…

A good tool too often misused

Webviews allow developers to display web pages in their applications. This is sometimes useful, but often developers who use this feature are unfamiliar with it, which has many inconsequential disadvantages for users. Most of the time, a simple link is enough.

A good webview use case is when you need to interpret HTML/CSS to make an advanced UI. The context is then controlled. We can test, it’s relatively simple, we don’t load 200 MB of content in a single request: everything is fine. However, a common bad practice on Android is to enable JavaScript without any real need. This is the case for many applications. And yet, it is a real door open to vulnerabilities of all kinds and other cryptocurrencies mining.

This does not mean you should never enable JavaScript, but opening this door requires you to have sufficient control over what the code will do so as not to harm the user.

Caution: Using addJavascriptInterface() allows JavaScript to control your Android application. This can be a very useful feature or a dangerous security issue. When the HTML in the WebView is untrustworthy (for example, part or all of the HTML is provided by an unknown person or process), then an attacker can include HTML that executes your client-side code and possibly any code of the attacker’s choosing. As such, you should not use addJavascriptInterface() unless you wrote all of the HTML and JavaScript that appears in your WebView. You should also not allow the user to navigate to other web pages that are not your own, within your WebView (instead, allow the user’s default browser application to open foreign links—by default, the user’s web browser opens all URL links, so be careful only if you handle page navigation as described in the following section).

Extract from official Android documentation

Webviews must be used in a controlled environment, in the sense that everything that is displayed must be predictable. It’s non sense to let users browse the web with it, as some applications do.

A poorly integrated tool

Webviews can also deteriorate the user experience because they ignore user preferences. If a user installs one browser rather than another, he has reasons to do so, and by using a webview, you impose a particular browser on him. Android has however an elegant way to solve this problem by offering the user to choose his implementation of webview.

Screenshot of Android settings

That would be great if there was non-Google implementations, but like this, it looks a bit useless. Furthermore, this option is only an option for developers, which does not make it usable in practice anyway. In the end, preferences, page marks, extensions and all synchronization systems are ignored to the delight of all advertisers and trackers on the web.

A poorly managed tool

Webview implementations changes according to Android versions. In concrete terms, this means that there are several versions of webviews.

Here is the list:

  • Android WebKit
  • Chromium 37
  • Chromium 33
  • Chromium 30

Chrome’s documentation

For the end user, it is almost impossible to distinguish them. But the code that makes them work is very different.

Consequences :

  • different behaviours when interpreting web pages
  • a considerably longer test phase for web and Android developers
  • updates are complex

As seen previously, it would be possible to add other implementations, but this is not yet a technical reality and even less a reality installed on millions of smart phones.

Conclusion

Webviews are probably too generic and many developers misuse them. However, they still may be interesting in some cases.

As a user, always be wary of applications that embed them. If you can, disable this feature and prefer using double tap on Android’s ▢ button which is like alt+tab.

Except where otherwise noted, content on this site is licensed under CC BY-SA 4.0.