Project

General

Profile

Actions
Copy link

Feature #1050

closed

[SECURITY] Why not use Chrome render engine instead of WebView?

Added by divest os 12 months ago. Updated 12 months ago.

Status:
Closed
Priority:
3.x
Assignee:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

The #DivestOS is badmouthing your browser here:

"you are likely using the Google/Chrome WebView with extra telemetry"

"browser is largely not recommended as they are inherently limited due to the WebView merely being a widget for adding web content to an app and are not intended to create a full browser experience."

https://divestos.org/pages/browsers.html#webview

Personally I use Bromite but since it's outdated - I would try this browser if only it uses Chrome engine not webview.

Actions
Copy link
 #1

Updated by divest os 12 months ago

And that page ranked FOSS browser higher than Privacy browser
because Privacy browser's "Fingerprinting Protection" is "No."??

Actions
Copy link
 #2

Updated by divest os 12 months ago

`vulnerability potential can be used to gain access to shared preference files using the file:/// command or can utilize smsJSInterface.launchSMSActivity to send unwanted SMS messages from the phone`

Another topic: does your browser block access to file:* because it is important?

https://security.stackexchange.com/questions/74254/how-android-webview-can-be-exploited-and-how-to-secure-my-app-from-webview-vulne

Actions
Copy link
 #3

Updated by Soren Stoutner 12 months ago

  • Status changed from New to Closed

I have discovered that most websites that pretend to understand security either don't or have ulterior motives. Hence, I don't pay much attention when they get things wrong. Rather, I just focus on building the best browser I can and assume that the internet's understanding will eventually catch up.

Regarding the general idea, Android's WebView is build from a subset of the codebase that builds Chromium. The full Chromium code has a lot more privacy-invading problems than WebView does, although neither is perfect, which is why I am going to release Privacy WebView in the 4.x series.

There is some further information on a tangential subject at https://www.stoutner.com/geckoview/.

Actions
Copy link
 #4

Updated by Soren Stoutner 12 months ago

Regarding the file access question, it is highly antiquated and not applicable as the entire ecosystem has move on (notice how it is talking about Android 4.2). But the short answer is yes, and the slightly longer answer is that, with the change to the Storage Access Framework, all access to files outside of Privacy Browser's private directory are handled by content:// URLs.

There is more information at https://www.stoutner.com/privacy-browser-3-7/.

Actions
Copy link

Also available in: Atom PDF