Status of Certificate Transparency in Android Webview

[Peter Matthews]

I need to know the state of CT enforcement in the Android Webview used in mobile apps. Does anyone know if the Android Webview is already requiring certificate transparency logs yet or enforcing certificate transparency? If not yet, is there a timeline available? Do the mobile apps have to modify their code to enable it? Will it be possible to log results without enforcing CT, i.e., is there a way for app developers to detect CT issues with any endpoints without breaking the app? Also, what will happen to ability to use tools like Charles Proxy when CT features are rolled out?

[Changwan Ryu]

agl@, could you answer this question?

On Wed, Nov 21, 2018 at 6:36 AM Peter Matthews <matthews...@gmail.com> wrote:

I need to know the state of CT enforcement in the Android Webview used in mobile apps. Does anyone know if the Android Webview is already requiring certificate transparency logs yet or enforcing certificate transparency? If not yet, is there a timeline available? Do the mobile apps have to modify their code to enable it? Will it be possible to log results without enforcing CT, i.e., is there a way for app developers to detect CT issues with any endpoints without breaking the app? Also, what will happen to ability to use tools like Charles Proxy when CT features are rolled out?

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-webview...@chromium.org.
To post to this group, send email to android-w...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/CAF_K6qgpQ5nESdhrXi2-RoOQQWpjHgm%3DBW8hYNcYQ0hL3k5eZg%40mail.gmail.com.

[Nate Fischer]

Based on this comment, I suspect CT is not enabled for WebView. But, confirmation would be good--especially since I need to make sure we're doing the right thing for the NetworkService code path :)

Nate Fischer | Software Engineer | ntf...@google.com

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/CAET19jRxxgHn7%2BYmgP6VNLwT6j2Uf19spBxfvxijtiSM0r65ZQ%40mail.gmail.com.

[Nate Fischer]

We've received confirmation that Certificate Transparency is not currently enabled in WebView.

> If not yet, is there a timeline available?

There is no timeline for this work.

> Do the mobile apps have to modify their code to enable it?

We don't plan to expose this decision to apps. Does your app have a need to control this decision?

> Will it be possible to log results without enforcing CT, i.e., is there a way for app developers to detect CT issues with any endpoints without breaking the app?

I don't know if this is feasible. I can ask around if this is a priority for you.

> Also, what will happen to ability to use tools like Charles Proxy when CT features are rolled out?

I'm not familiar with this tool, and I'm not sure how CT will impact this. I believe you can try the tool with Chrome Desktop; I expect WebView would interact similarly.

---

For those interested in NetworkService (which impacts the near future), we explicitly enforce the same behavior.

Nate Fischer | Software Engineer | ntf...@google.com

[Ricardo García Fernández]

I can't seem to find good documentation regarding Android WebView and Certificate Transparency. What's the current status by now? Is CT already enabled? If not, is there any timeline already?

On Monday, December 3, 2018 at 2:30:19 PM UTC-6, Nate Fischer wrote:

We've received confirmation that Certificate Transparency is not currently enabled in WebView.

> If not yet, is there a timeline available?

There is no timeline for this work.

> Do the mobile apps have to modify their code to enable it?

We don't plan to expose this decision to apps. Does your app have a need to control this decision?

> Will it be possible to log results without enforcing CT, i.e., is there a way for app developers to detect CT issues with any endpoints without breaking the app?

I don't know if this is feasible. I can ask around if this is a priority for you.

> Also, what will happen to ability to use tools like Charles Proxy when CT features are rolled out?

I'm not familiar with this tool, and I'm not sure how CT will impact this. I believe you can try the tool with Chrome Desktop; I expect WebView would interact similarly.

---

For those interested in NetworkService (which impacts the near future), we explicitly enforce the same behavior.

Nate Fischer | Software Engineer | ntf...@google.com

On Thu, Nov 29, 2018 at 4:17 PM Nate Fischer <ntf...@google.com> wrote:

Based on this comment, I suspect CT is not enabled for WebView. But, confirmation would be good--especially since I need to make sure we're doing the right thing for the NetworkService code path :)

Nate Fischer | Software Engineer | ntf...@google.com

On Thu, Nov 29, 2018 at 3:49 PM 'Changwan Ryu' via android-webview-dev <android-w...@chromium.org> wrote:

agl@, could you answer this question?

On Wed, Nov 21, 2018 at 6:36 AM Peter Matthews <matthews...@gmail.com> wrote:

I need to know the state of CT enforcement in the Android Webview used in mobile apps. Does anyone know if the Android Webview is already requiring certificate transparency logs yet or enforcing certificate transparency? If not yet, is there a timeline available? Do the mobile apps have to modify their code to enable it? Will it be possible to log results without enforcing CT, i.e., is there a way for app developers to detect CT issues with any endpoints without breaking the app? Also, what will happen to ability to use tools like Charles Proxy when CT features are rolled out?

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to android-webview-dev+unsub...@chromium.org.

To post to this group, send email to android-w...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/CAF_K6qgpQ5nESdhrXi2-RoOQQWpjHgm%3DBW8hYNcYQ0hL3k5eZg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to android-webview-dev+unsub...@chromium.org.

[Nate Fischer]

No update (still no plans for this). We have no documentation on WebView + certificate transparency, but you can "star" crbug/921750.

Nate Fischer | Software Engineer | ntf...@google.com

On Wed, Mar 25, 2020 at 9:12 AM Ricardo García Fernández <ric.g...@gmail.com> wrote:

I can't seem to find good documentation regarding Android WebView and Certificate Transparency. What's the current status by now? Is CT already enabled? If not, is there any timeline already?

On Monday, December 3, 2018 at 2:30:19 PM UTC-6, Nate Fischer wrote:

We've received confirmation that Certificate Transparency is not currently enabled in WebView.

> If not yet, is there a timeline available?

There is no timeline for this work.

> Do the mobile apps have to modify their code to enable it?

We don't plan to expose this decision to apps. Does your app have a need to control this decision?

> Will it be possible to log results without enforcing CT, i.e., is there a way for app developers to detect CT issues with any endpoints without breaking the app?

I don't know if this is feasible. I can ask around if this is a priority for you.

> Also, what will happen to ability to use tools like Charles Proxy when CT features are rolled out?

I'm not familiar with this tool, and I'm not sure how CT will impact this. I believe you can try the tool with Chrome Desktop; I expect WebView would interact similarly.

---

For those interested in NetworkService (which impacts the near future), we explicitly enforce the same behavior.

Nate Fischer | Software Engineer | ntf...@google.com

On Thu, Nov 29, 2018 at 4:17 PM Nate Fischer <ntf...@google.com> wrote:

Based on this comment, I suspect CT is not enabled for WebView. But, confirmation would be good--especially since I need to make sure we're doing the right thing for the NetworkService code path :)

Nate Fischer | Software Engineer | ntf...@google.com

On Thu, Nov 29, 2018 at 3:49 PM 'Changwan Ryu' via android-webview-dev <android-w...@chromium.org> wrote:

agl@, could you answer this question?

On Wed, Nov 21, 2018 at 6:36 AM Peter Matthews <matthews...@gmail.com> wrote:

I need to know the state of CT enforcement in the Android Webview used in mobile apps. Does anyone know if the Android Webview is already requiring certificate transparency logs yet or enforcing certificate transparency? If not yet, is there a timeline available? Do the mobile apps have to modify their code to enable it? Will it be possible to log results without enforcing CT, i.e., is there a way for app developers to detect CT issues with any endpoints without breaking the app? Also, what will happen to ability to use tools like Charles Proxy when CT features are rolled out?

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to android-webview...@chromium.org.

To post to this group, send email to android-w...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/CAF_K6qgpQ5nESdhrXi2-RoOQQWpjHgm%3DBW8hYNcYQ0hL3k5eZg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to android-webview...@chromium.org.

To post to this group, send email to android-w...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/CAET19jRxxgHn7%2BYmgP6VNLwT6j2Uf19spBxfvxijtiSM0r65ZQ%40mail.gmail.com.

--

You received this message because you are subscribed to the Google Groups "android-webview-dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to android-webview...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/561a9f79-95db-4547-9d94-0186c2cc9091%40chromium.org.

[Jorge García]

Hi,  What's the current status by now? Is CT already enabled?

[Matt Rea]

Does not sound like there is any plans to implement CT verification on webviews. 

For whoever is listening, we would love this feature! And from searching around on Android slack groups, others would as well.. (ASG #security)

[Torne (Richard Coles)]

The WebView team aren't currently planning to implement this, no. The bug is currently assigned to Devon (cc'ed); Devon and Ryan might have thoughts on what would be needed here.

The main questions here would be:

1) what is the compatibility impact of enabling this for WebView - i.e. how many apps are currently relying on certs that won't pass a CT verification if we just enabled it. Ryan, Devon, is there a UMA metric for this that we can check (or enable in WebView if it's not currently being collected) to get some idea of the scope?

2) would we want/need any API for the app developer to control this - this may depend on what the compatibility impact is. If it looks likely to cause a compatibility issue for a nontrivial number of apps then we may need to provide an API to opt in to the verification, though we could enable it by default for apps that target future OS versions. I'm not sure what other needs there might be here; earlier in the thread one suggestion was a way to enable it in a reporting mode that doesn't block anything yet?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/d6884f27-86d8-4d27-ac38-5a51c2828643n%40chromium.org.

[Ryan Sleevi]

Hi Matthew,

I know it's probably not as "transparent" a decision making process (see what I did there), but Nate's response in 2018 is still correct.

We would encourage you to star the bug mentioned, https://crbug.com/921750 . We do monitor such bugs, and that's the best way to stay updated. There's a number of activities happening behind the scenes, but nothing we'd plan to share publicly at this time.

[Matt Rea]

Thank you for the replies. Understood - it is not a priority for the team right now. We will star the bug

I think an opt-in API makes a lot of sense here. Regardless of the compatibility findings, I don't think it should be enabled for everyone initially (assuming this work ever happens)

"earlier in the thread one suggestion was a way to enable it in a reporting mode that doesn't block anything yet?"

I don't see this suggestion? Am I missing something

[Torne (Richard Coles)]

On Tue, 20 Oct 2020 at 12:18, Matthew Rea <matthew...@gmail.com> wrote:

Thank you for the replies. Understood - it is not a priority for the team right now. We will star the bug

I think an opt-in API makes a lot of sense here. Regardless of the compatibility findings, I don't think it should be enabled for everyone initially (assuming this work ever happens)

"earlier in the thread one suggestion was a way to enable it in a reporting mode that doesn't block anything yet?"
I don't see this suggestion? Am I missing something

Ah, it's not quoted in this reply chain, but you can see earlier messages in the thread here: https://groups.google.com/a/chromium.org/g/android-webview-dev/c/M-HYQ8RyceU