WebView Security Changes in Android Lollipop

Two WebView changes were made in Lollipop (Android 5.0) that enhance the security of mobile applications, including

  • Updatable WebViews
  • Mixed HTTP/HTTPS content not allowed by Default

Updatable WebViews

Before Lollipop, WebViews on Android were not auto-updated. Any new feature enhancement or security fix was not immediately propagated to the end user devices, but rather pushed via OEM updates (which was painful) [1] . This allowed many security issues and exposures to go on unfixed for long periods of time due to the large delay in pushing new releases to the Android WebView engine [3] [4] [5].

Google has now changed the update behavior in Lollipop (Android 5.0), where updatable WebViews 2 are now possible [2]. WebViews are now a distinct component separate from the firmware, which makes it updatable via Google Play. This is a very good thing for security, as open security issues on Android WebViews are no longer in the hands of OEM providers. A few other advantages are listed below:

  • WebView security updates will be directly pushed to Android, and the user no longer has to wait for an OS change
  • WebView in Apps now have the same performance as the Chrome browser. This vastly helps hybrid App as they can now provide unified experience across multiple devices.

Mixed HTTP/HTTPS content not allowed by Default [6]

Mixed content using HTTP and HTTPS on WebViews are now disabled by default. Previously to Lollipop (API 20 and below), the WebView will allow a secure origin (HTTPS) to load content from any other origin, even if the origin is insecure(HTTP). This allowed attackers on the same network as the user’s device to modify plain text HTTP content. The configuration settings are below

  • KitKat and below WebSettings: MIXED_CONTENT_ALWAYS_ALLOW
  • Lollipop WebSettings: MIXED_CONTENT_NEVER_ALLOW

Summary

Android Lollipop (API level 21) increases the security of mobile applications using WebViews. It is highly recommended to build mobile applications using API level 21, and to use the minSdkVersion attribute to support older versions of Android [7].

Pavan Walvekar - 20 Dec 2014 at 19:02