Project

General

Profile

Issue #1780

Update the webview apk

Added by Wolfgang Wiedmeyer almost 2 years ago. Updated 4 months ago.

Status:
New
Priority:
Urgent
Category:
Security
Target version:
Start date:
03/15/2017
Due date:
% Done:

0%

Resolution:
Device:

Description

Due to #705, the webview apk in Replicant 6.0 cannot be updated. Currently, webview version 43.0.2357.134 is in use. It was released in July 2015 and has numerous security issues that were discovered since then.

Updating the webview apk would fix a lot of security issues and would ensure that websites can be visited securely using the browser shipped with Replicant or Lightning.


Related issues

Related to Issue #1786: Review the Chromium Webview build environment New 04/09/2017

History

#1 Updated by Wolfgang Wiedmeyer almost 2 years ago

  • Assignee changed from Paul Kocialkowski to Wolfgang Wiedmeyer

#2 Updated by Jeremy Rand over 1 year ago

FWIW, I've been happily using llvmpipe for about 2 weeks based on Wolfgang's instructions for Replicant 6.0. It's definitely less snappy, but I'm okay with the extra lag in return for the improved security of using Orfox. Would it be feasible to release an alternate Replicant 6.0 build with a current WebView, for the users like me who are okay with llvmpipe's current state?

#3 Updated by Kurtis Hanna over 1 year ago

It is my understanding that newer versions of webview currently can't be used because they don't work with the software rendering.

#4 Updated by Wolfgang Wiedmeyer over 1 year ago

FWIW, I've been happily using llvmpipe for about 2 weeks based on Wolfgang's instructions for Replicant 6.0. It's definitely less snappy, but I'm okay with the extra lag in return for the improved security of using Orfox.

This is great to hear that llvmpipe in its current state is already usable for you!

Newer versions of the webview do indeed work with llvmpipe, at least they should. Latest versions may still introduce issues but these seem to get fixed by the Mesa or Android-x86 developers over time.

Please note that the apk is not built as part of a regular Replicant build. The apk needs to be built separately in a chromium build environment and only the final apk is committed to the source code. The apk can be installed with adb install -r webview.apk, just like a normal app. So there is no need for a completely separate Replicant build, just because of one apk file.

I didn't look into the loader code for the webview, so I don't know if it's possible to switch between the two in a similar way like with llvmpipe and the Android software renderer. At least it should be possible to additionally ship an updated webview apk as part of a Replicant 6.0 zip. Then it can be manually switched between the two with something like adb shell mv old-webview.apk old-webview.apk.bak && adb shell mv new-webview.apk old-webview.apk

#5 Updated by Kurtis Hanna 4 months ago

  • Target version changed from Replicant 6.0 to Replicant 6.0 0004

#6 Updated by Kurtis Hanna 4 months ago

It would be great if we could utilize the script that selects libagl/llvmpipe on a per app basis https://redmine.replicant.us/issues/1844 and somehow configured llvmpipe by default on every app using webview. I don't know how this could be automated.

Here's a suggestions related to how one can visually inspect an app to see if it uses WebView: https://stackoverflow.com/a/19160572

#7 Updated by Kurtis Hanna 4 months ago

Is this the source code for the most current stable version of Webview? https://chromium.googlesource.com/chromium/src/+/master/android_webview/ If so, like Wolfgang said, the Webview apk needs to be built separately in a chromium build environment, so it'd be good if we could build it ourselves.

#8 Updated by Kurtis Hanna 4 months ago

These instructions reference Android 5.0.0 so it might be old https://www.chromium.org/developers/how-tos/build-instructions-android-webview

#9 Updated by Kurtis Hanna 4 months ago

  • Target version changed from Replicant 6.0 0004 to Replicant 6.0 0005

Also available in: Atom PDF