Question about replacing WebView implementation

1,458 views
Skip to first unread message

Roberto Perdisci

unread,
Jan 23, 2018, 9:03:14 AM1/23/18
to android-webview-dev
Hello everyone,

   I have compiled a (modified) MonochromePublic.apk from Chromium branch-heads/3267 (VERSION to 64.0.3267.2). I installed it into an emulator running Android 7.1.1. I've followed the steps in this doc page to replace the WebView implementation to be used with the new Monochrome apk. However, the Monochrome app I just installed is not listed among the possible choices for WebView. Only Chrome Stable is listed. 

What step am I missing? Is there another target, instead of monochrome_public_apk, that I should use to enable Monochrome to be listed as WebView alternative? Or other settings that are needed on Android?

BTW: if I open the newly installed Monochrome browser app, it works perfectly.

Thanks,


Roberto

Torne (Richard Coles)

unread,
Jan 23, 2018, 10:25:53 AM1/23/18
to Roberto Perdisci, android-webview-dev
The list of packages that can be used as a WebView implementation is determined at build time of the system image. If you want to use a different package, you need to build your own Android image with a customised configuration. The standard emulator images will only load com.android.webview.

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-webview...@chromium.org.
To post to this group, send email to android-w...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/c8e38543-4dc2-4519-9c57-57cd530f3951%40chromium.org.

Nate Fischer

unread,
Jan 23, 2018, 8:33:57 PM1/23/18
to Torne (Richard Coles), Roberto Perdisci, android-webview-dev
From the original post, it sounds like the emulator accepts com.android.chrome (aka Chrome Stable) as a webview implementation. That's unexpected...

Why are you compiling monochrome_public? If you're trying to ship this with AOSP-based devices, then you should look at the list of packages Torne mentioned. The list is an XML file named config_webview_packages.xml, containing package names and signatures. You should add "org.chromium.chrome" to this list (possibly needs the signature, depending on what exactly you're doing).

If you're trying to debug, then I recommend a physical userdebug/eng device (the emulator hypothetically works, but our team doesn't actively maintain this). We only support external developers to build system_webview_apk and install on AOSP images--is there a reason you need monochrome_public_apk for local development?



Nate Fischer | Software Engineer | ntf...@google.com


On Tue, Jan 23, 2018 at 7:25 AM, Torne (Richard Coles) <to...@chromium.org> wrote:
The list of packages that can be used as a WebView implementation is determined at build time of the system image. If you want to use a different package, you need to build your own Android image with a customised configuration. The standard emulator images will only load com.android.webview.
On Tue, 23 Jan 2018 at 09:03 Roberto Perdisci <roberto....@gmail.com> wrote:
Hello everyone,

   I have compiled a (modified) MonochromePublic.apk from Chromium branch-heads/3267 (VERSION to 64.0.3267.2). I installed it into an emulator running Android 7.1.1. I've followed the steps in this doc page to replace the WebView implementation to be used with the new Monochrome apk. However, the Monochrome app I just installed is not listed among the possible choices for WebView. Only Chrome Stable is listed. 

What step am I missing? Is there another target, instead of monochrome_public_apk, that I should use to enable Monochrome to be listed as WebView alternative? Or other settings that are needed on Android?

BTW: if I open the newly installed Monochrome browser app, it works perfectly.

Thanks,


Roberto

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-webview-dev+unsub...@chromium.org.
To post to this group, send email to android-webview-dev@chromium.org.

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-webview-dev+unsub...@chromium.org.
To post to this group, send email to android-webview-dev@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/CAEV-rjeC-_PA4RfHKMT8DHnCkhPBAkjHwwuci0XG7RAHDF82rQ%40mail.gmail.com.

Roberto Perdisci

unread,
Jan 24, 2018, 9:56:02 PM1/24/18
to android-webview-dev, to...@chromium.org, roberto....@gmail.com, ntf...@google.com
Thanks to both for the information.

Ideally, what I would like to do is to install a modified WebView (compiled from modified Chromium code base) into a device, and to use this new WebView as the default, in place of the original system webview. It would be great if this could be done on real Android devices (say, a Google Pixel C) without the need to root the device. 

Is it possible to do this by compiling/installing system_webview_apk from the Chromium sources, instead of using monochrome_public_apk?

I'm trying to do this as part of an academic research project. We are augmenting Blink/V8 with some enhanced logging capabilities, and would like to enable users who are interested in our research to deploy it on their devices without having to root them.

Thanks much,


Roberto

Nate Fischer

unread,
Jan 24, 2018, 11:43:19 PM1/24/18
to Roberto Perdisci, android-webview-dev, Torne (Richard Coles)
I think most of your questions are answered by our documentation for external developers. Note: you (and your users) need a userdebug/eng image. User builds have security measures to prevent installing your own WebView build.


Nate Fischer | Software Engineer | ntf...@google.com


Torne (Richard Coles)

unread,
Jan 25, 2018, 10:48:21 AM1/25/18
to Nate Fischer, Roberto Perdisci, android-webview-dev
Yeah, as Nate says: if you find a way to replace the WebView on a real device without root and without reflashing it with a custom system image, that would be a serious security bug that we would need to fix. There's intentionally no way to do this: on a regular "user" build of android (as opposed to the userdebug/eng variants) all WebView implementation packages must be listed in the system image's configuration and each one must either be preinstalled in the system image, or signed with a specifically designated key, to be permitted.

WebView is extremely privileged because it's loaded into the address space of other applications, and so has access to the data and permissions of every single application which uses it - therefore, it can only be replaced by someone who already has the ability to compromise the application sandbox anyway: someone with root access, or the builder of the system image.

Roberto Perdisci

unread,
Jan 25, 2018, 3:15:54 PM1/25/18
to android-webview-dev, ntf...@google.com, roberto....@gmail.com
Got it, thanks.

I was under the impression this would be possible because the user has to explicitly turn on developer mode, before "manually" switching to a different WebView. I thought this would be sufficient to mitigate the security concerns you mentioned.

Thanks for the information.
Best,


Roberto

Torne (Richard Coles)

unread,
Jan 26, 2018, 10:55:08 AM1/26/18
to Roberto Perdisci, android-webview-dev, ntf...@google.com
The Android security model is designed to allow apps to have data which is private from the user (e.g. DRM-controlled purchases). The user of the device is not supposed to be able to violate the application sandbox either, on a normal user build - this is why normal user builds do not allow the user to have root access. So, no, even though developer settings can only be toggled by the user, that's not sufficient to protect apps here.

--
You received this message because you are subscribed to the Google Groups "android-webview-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-webview...@chromium.org.
To post to this group, send email to android-w...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/android-webview-dev/dcac6ee0-1f77-4ab8-98d4-d63c8d768621%40chromium.org.
Reply all
Reply to author
Forward
0 new messages