Project

General

Profile

Issue #1780

Update the webview apk

Added by Wolfgang Wiedmeyer 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Urgent
Category:
Privacy and security
Target version:
Start date:
03/15/2017
Due date:
% Done:

0%

Resolution:
Device:

Description

Due to #705, the webview apk in Replicant 6.0 cannot be updated. Currently, webview version 43.0.2357.134 is in use. It was released in July 2015 and has numerous security issues that were discovered since then.

Updating the webview apk would fix a lot of security issues and would ensure that websites can be visited securely using the browser shipped with Replicant or Lightning.


Related issues

Related to Issue #1786: Review the Chromium Webview build environment New 04/09/2017

History

#1 Updated by Wolfgang Wiedmeyer 6 months ago

  • Assignee changed from Paul Kocialkowski to Wolfgang Wiedmeyer

#2 Updated by Jeremy Rand 6 months ago

FWIW, I've been happily using llvmpipe for about 2 weeks based on Wolfgang's instructions for Replicant 6.0. It's definitely less snappy, but I'm okay with the extra lag in return for the improved security of using Orfox. Would it be feasible to release an alternate Replicant 6.0 build with a current WebView, for the users like me who are okay with llvmpipe's current state?

#3 Updated by Kurtis Hanna 6 months ago

It is my understanding that newer versions of webview currently can't be used because they don't work with the software rendering.

#4 Updated by Wolfgang Wiedmeyer 6 months ago

FWIW, I've been happily using llvmpipe for about 2 weeks based on Wolfgang's instructions for Replicant 6.0. It's definitely less snappy, but I'm okay with the extra lag in return for the improved security of using Orfox.

This is great to hear that llvmpipe in its current state is already usable for you!

Newer versions of the webview do indeed work with llvmpipe, at least they should. Latest versions may still introduce issues but these seem to get fixed by the Mesa or Android-x86 developers over time.

Please note that the apk is not built as part of a regular Replicant build. The apk needs to be built separately in a chromium build environment and only the final apk is committed to the source code. The apk can be installed with adb install -r webview.apk, just like a normal app. So there is no need for a completely separate Replicant build, just because of one apk file.

I didn't look into the loader code for the webview, so I don't know if it's possible to switch between the two in a similar way like with llvmpipe and the Android software renderer. At least it should be possible to additionally ship an updated webview apk as part of a Replicant 6.0 zip. Then it can be manually switched between the two with something like adb shell mv old-webview.apk old-webview.apk.bak && adb shell mv new-webview.apk old-webview.apk

Also available in: Atom PDF