Update the webview apk
Due to #705, the webview apk in Replicant 6.0 cannot be updated. Currently, webview version 43.0.2357.134 is in use. It was released in July 2015 and has numerous security issues that were discovered since then.
Updating the webview apk would fix a lot of security issues and would ensure that websites can be visited securely using the browser shipped with Replicant or Lightning.
#2 Updated by Jeremy Rand about 2 years ago
FWIW, I've been happily using llvmpipe for about 2 weeks based on Wolfgang's instructions for Replicant 6.0. It's definitely less snappy, but I'm okay with the extra lag in return for the improved security of using Orfox. Would it be feasible to release an alternate Replicant 6.0 build with a current WebView, for the users like me who are okay with llvmpipe's current state?
#4 Updated by Wolfgang Wiedmeyer about 2 years ago
FWIW, I've been happily using llvmpipe for about 2 weeks based on Wolfgang's instructions for Replicant 6.0. It's definitely less snappy, but I'm okay with the extra lag in return for the improved security of using Orfox.
This is great to hear that llvmpipe in its current state is already usable for you!
Newer versions of the webview do indeed work with llvmpipe, at least they should. Latest versions may still introduce issues but these seem to get fixed by the Mesa or Android-x86 developers over time.
Please note that the apk is not built as part of a regular Replicant build. The apk needs to be built separately in a chromium build environment and only the final apk is committed to the source code. The apk can be installed with
adb install -r webview.apk, just like a normal app. So there is no need for a completely separate Replicant build, just because of one apk file.
I didn't look into the loader code for the webview, so I don't know if it's possible to switch between the two in a similar way like with llvmpipe and the Android software renderer. At least it should be possible to additionally ship an updated webview apk as part of a Replicant 6.0 zip. Then it can be manually switched between the two with something like
adb shell mv old-webview.apk old-webview.apk.bak && adb shell mv new-webview.apk old-webview.apk
#6 Updated by Kurtis Hanna 8 months ago
It would be great if we could utilize the script that selects libagl/llvmpipe on a per app basis https://redmine.replicant.us/issues/1844 and somehow configured llvmpipe by default on every app using webview. I don't know how this could be automated.
Here's a suggestions related to how one can visually inspect an app to see if it uses WebView: https://stackoverflow.com/a/19160572
#7 Updated by Kurtis Hanna 8 months ago
Is this the source code for the most current stable version of Webview? https://chromium.googlesource.com/chromium/src/+/master/android_webview/ If so, like Wolfgang said, the Webview apk needs to be built separately in a chromium build environment, so it'd be good if we could build it ourselves.
#8 Updated by Kurtis Hanna 8 months ago
These instructions reference Android 5.0.0 so it might be old https://www.chromium.org/developers/how-tos/build-instructions-android-webview