If you are the type of Android user that messes around with pre-installed App content, most probably you came across the Android System WebView. WebView represents an important part of the Android Operating System and a package that receives constant updates. Today, we will discuss what Android WebView actually is and what is responsible for in Google’s Operating System.
In the era of Internet Services, every Operating System must provide a way to integrate web content into native Application interfaces. Displaying full website content inside an App can greatly reduce App development times. Moreover, web Apps are far easier to create than native ones and can also be Operating System agnostic.
Google’s solution for displaying web content inside Apps is the Android WebView. Using WebView, an App developer can display a complete website inside their App, without the need of opening links in the System’s Web Browser. To make things more interesting, Google added some extra functionality inside WebView: Specially designed websites can call native Android functions through the WebView, in an effort to improve the user’s experience (for example a website can display a native Android dialog to ask confirmation from the user).
Some Historical Facts
WebView has been included in Android since its early days. At first, it shipped as a system component of the Operating System. A major incident took place on January 12th, 2015: Independent researchers Rafay Baloch and Joe Vennix uncovered 11 exploits to the Android WebView. These exploits affected all versions of Android Operating System up to the then latest Android Jelly Bean. In a controversial move, Google chose to not patch the current WebView implementation, as it was just not possible to send the updated code to all currently shipping Android devices. Costs to OEMs would be enormous. This decision left a huge number of devices vulnerable to serious attacks.
Google came up with a new implementation of WebView on Android KitKat, based on WebKit (and subsequently on Blink). At first, WebView shipped as part of the Android framework, which meant that updating it would require a complete firmware upgrade. To make addressing bugs and security holes easier, Google separated the WebView from the rest of the Operating System on Android Lollipop. From Lollipop onward, Android WebView can be updated through the Google Play Store.
Android WebView Implementations
Like almost everything on Android, WebView became too complicated during the years of its development. Since Android Nougat, Google made Android WebView a part of Chrome Web Browser (Chrome version 51 onward). Both packages already shared much of their code, so merging them would decrease Application size and memory footprint. However, a standalone implementation is still available on most ROMs, including custom ROMs (known as Android System WebView or Google WebView). This implementation takes over when Chrome is not installed or it is disabled by the user. Lastly, custom ROMs often provide their own implementation of WebView (known as AOSP WebView on LineageOS and friends), which is a stripped down version of Google’s implementation. AOSP WebView is based on Chromium code and lacks some proprietary features.
So, to sum up, three main implementations of WebView currently exist on Android:
- Android System WebView (or Google WebView)
- Chrome WebView (through the Google Chrome App)
- AOSP WebView
Nougat and later ROMs allow choosing which WebView implementation to use under Developer Options.
What can WebView Do?
- Render HTML content with latest web standards support
- Full-screen content rendering
- Zoom support
- Keep track of website history and cookies.
It is even possible to create a complete Web Browser by utilizing Android’s WebView. A nice example is Lineage OS Jelly Web Browser. Jelly serves as a front-end adding special functionality to WebView.
Which WebView implementation should I use?
If you are using the Google Chrome Web Browser, the answer is simple: Just install one of the four variants of Google Chome (stable, dev, beta, canary) and make sure you have the Chrome WebView implementation selected under Developer Options. This solution will save you some disk space and reduce memory usage. However, if you do not have Google Chrome installed on your device, you can only utilize the Google WebView.
Even if you are running a custom ROM, Google-provided implementations (Chrome and Android System WebView) might appear to work better than the AOSP implementation. AOSP implementation usually includes bugs and can also be back in terms of updates, since it is maintained in forked repositories by custom ROM developers. It usually comes installed as a System App and updating it requires a firmware update.
Whichever WebView implementation you choose to use, you should make sure that you update it often. A huge percentage of Android Apps use WebView for simple or more complicated stuff. Security vulnerabilities in WebView can put sensitive user data at risk. Google tries to patch holes as soon as they are discovered and update their Play Store offerings.
Lastly, if your non-custom ROM has WebView implemented in a way it cannot get updates through the Play Store, make sure that you install one of the implementations mentioned above as a user App.
WebView Safety Concerns
Related reading: Past and Future of the Linux Kernel on Mobile Devices