-
There is no difference between AOSP and Google’s WebView. Originally Google only updated WebView with new Android releases. Because of the sorry state of Android updates on most devices, that meant that almost everyone was running outdated, vulnerable versions of WebView. Google won’t fix bug hitting 60 percent of Android phones | Ars Technica From the beginning of Android, WebView was built on WebKit, but prior to Android 4.4, the WebView code was built on a different code base than that used by Chromium (it didn’t get updated as much). Beginning in Android 4.4, Android’s WebView started being built from the same code base as Chromium (which had already transitioned to Blink). Beginning with Android 5.0, Google redesigned the underlying code structure so that WebView could be updated either by an OS upgrade or through an app update on the Play Store. This allowed them to push WebView security updates to devices that weren’t receiving OS updates. Basically, the AOSP WebView code is updated every month or so, that portion is built into an APK, and it is pushed out to all devices running Android 5.0 through the Play Store. Android 5.0 Lollipop, thoroughly reviewed | Ars Technica The code can be found at https://android.googlesource.com/ and the instructions for building WebView are at Build Instructions (Android WebView)
-
Google, being the semi-punks they are, does monitor by default all traffic from any app that uses WebView. This general monitoring can be disabled by adding
<meta-data android:name="android.webkit.WebView.MetricsOptOut" android:value="true" />to theAndroidManifest.xmlfile. WebView | Android Developers They also do other things to make it easy for the internet to track WebView usage, even if the above opt-out is included. For example, WebView abuses theX-Requested-Withheader to send the application ID (eg. com.stoutner.privacybrowser.standard) to every website visited by an app running WebView and makes it difficult to completely remove this functionality. Feature #37: Competely remove the X-Requested-With header - Privacy Browser Android - Stoutner - Redmine It is reasons like this that I am eventually planning to fork WebView to get something that respects the user’s privacy better.
5 Likes