WebView stub apk to simplify installation #520
Comments
|
I understand what you mean, but I would not be able to develop this. You could start by developing something like this and see how it is to maintain it. Anything related to the SystemWebView requires constant user support. |
|
I could prepare and test a proof of concept. But in the end, it would have to be signed officially to allow installing official builds of Bromite SystemWebView as updates to it. Also, an overview of the capabilities nesessary for the WebView apart from the permissions declared in its manifest and it being registered as a system web view might be good, so the stub apk would not accidentaly fail to reqest everything from the system. Another idea i had was to fill any webview object another app might create using the stub apk would be filled with useful info. I.E. if only just the stub apk is installed, opening up my webview based browser would fill it with some notice that Bromite WebView is not yet completely installed and simply needs to be upgraded to function. As i'm, totally unfamiliar with the internals of an android webview i've got no clue how to achieve this. As for the maintenance i think it might even be unnecessary to publish the apk for this more than once. As long as package name and signature don't change the stub apk shouldn't need to be altered. (and as long as there are no changes in any permissions or privileges that can only be declared in the original apk file - but i doubt these even exist in android) |
|
Okay i just managed to get a super basic proof-of-concept work by just doing the following:
Now it should be made sure that nothing is overlooked here and that the concept is applicable on android 10 onwards as well (The overlay story). But apart from making it work once i really don't see any expected maintaining burden here. Copy of the source code i used for my test apk stub: |
|
Okay i just tested this on a device running Lineage 17.1 and it worked as well. All-in-all it went just as fine as with the Pie device - the stub did not turn up in the WevView provider list, but as soon as a re-signed complete WebView apk was installed, it appeared in the list and could be used by applications. |
It could be tested on multiple Android versions using Android Virtual Devices.
Indeed, that's what allows to install another package with same name and signature. The version code of the stub should also be smaller. @SebiderSushi regarding the package name: we could also use a Bromite-specific package name, however I am not sure about the breakage that would be involved. If we exclude users with an unlocked bootloader which can use pretty much any package name, what are the remaining use cases where keeping See also: https://github.com/bromite/bromite/wiki/Installing-SystemWebView#about-the-package-name |
|
Sorry for letting this issue slide for so long. I was able to reproduce this in an AVD running Android Pie as well. So basically i've realized that i actually don't own a use case for this, nor can i provide any testing resources that resemble any critical situation where installation to the system partition would be mandatory. |
|
Otherwise, to get back to your question: The thing with the package name IIRC i might have seen Giving bromite a unique package name would be the technically correct thing to do, but unfortunately only works if users can patch their framework-res.apk or if the WebView is bundled in by the ROM maintainer or developer. |
There is no advantage to swap
If root were necessary for any SystemWebView installation procedure, then we could just go with a Bromite-specific package name. The wiki page mentions the debloater approach but I do not have proof that it works. It would contradict the security model guarantees. Perhaps you could do some research there? |
As far as i understand it, the wiki page is aware of the security model implications and the debloater approach is meant for versions prior to Android 7.0, where there was no way to manually pick the WebView implementation in the developer settings. Because of that, disabling any other WebView providers higher in priority than |
|
@SebiderSushi what needs to be done here? As far as I know nobody is working on this. |
|
I'm not sure what you mean. As far as the WebView stub apk is concerned, the following needs to be done (to my current knowledge): Compile an apk file that basically contains just a Manifest with the correct package name. A reference proof of concept can be found here. This apk file just needs to be signed with the same signature as the BromiteWebView release apks and the whole thing is done until further issues are revealed. |
|
It is slightly more complex than that:
I cannot maintain the |
|
Sure. I was just referring to the webview stub, as i'm seeing the question about the package name as a different topic. Regarding that, did you have a look at the overview that i linked in my previous comment on the other issue? I have put together a paragraph about the package name and about all possible considerations i'm seeing there, my conclusion being to keep As it currently stands, i think the lost benefits of using Of course this point could be reconsidered if the team behind a widely distributed custom ROM (like LineageOS) would be willing to whitelist a unique package name for the Bromite WebView. |
|
That makes a lot of ROMs where a Magisk Module with just the files And on userdebug builds (All official LineageOS builds!), the stub apk isn't even needed and an The point: All of this applies to older Android versions without RRO support as well. Of couse, some metrics on this would be nicer than all of my assumptions. Real world data about the number of ROMs which fall into either of the aforementioned categories. |
Isn't this a security hole? I might understand the AOSP case, as OEMs are supposed to "complete it" before release, but how can LineageOS releases go out with this issue open?
Ok, perhaps I do not understand how these are hardened for usage. My reference for a secure non-stock Android OS is GrapheneOS.
The project does not have - nor seek - affiliation; I have to make a decision regardless of what another popular - but separate - project decides. Let's put it in another way: if the package name were The only remaining issues are:
(1) will always be there, it's not on its own a good reason to never do any change/progress
Yes, but I reach different conclusions: the user should be capable of choosing the webview without rebooting into a boot manager or modifying the ROM, and re-using package names is just incorrect from the perspective of how Android works. |
|
Again, as per security, i don't see the issue.
As such, i see it as sufficient to "stuff the security hole" by delivering either "user" builds or by preinstalling a package that fills the spot. Since anyone who can still replace the WebView then will still need root access they're pretty much there already. It don't see how it gets much worse for the victim if an attacker can also replace the webview on top of having at least full access to the system partition. And about GrapheneOS: https://github.com/GrapheneOS/platform_frameworks_base/blob/10/core/res/res/xml/config_webview_packages.xml Also, as GrapheneOS or any other current ROM will run at least on android Pie, an attacker with root access would also be able to place and register an RRO and replace the WebView whitelist with anything they want. |
|
Huh. Okay, i'll go into detail about your points now and then you can maybe point out how my explanation on the wiki could be understood otherwise or be unclear on certain aspects. I agree: Using unique package name is the correct thing to do. Being able to choose the WebView implementation in userspace is convenient and some use cases might require it (though i don't know any of them). I think re-using Reminder: The following considerations are invalid when RRO support is present. That is, if older android versions were to be deprecated, a unique package name should definitely be used. At this time, i am unsure on which android versions RROs could be made to work, but during my tests with Marshmallow, Nougat, Oreo, Pie and Ten i was only able to register an RRO on Pie and above. I remember that @linuxandria statet RROs could theoretically be made compatible with android versions as low as 5.1, so we'll see how far we might get with this. Now, as long as android versions where we cannot successfully override the WebView whitelist shall be supported by the Bromite WebView, the following consideration applies: Without a custom WebView whitelist, the only hope to support any device, is by using the package name Using another package name will not work, not even on LineageOS. They solely whitelist the Google WebView & a handful of Google Chrome variants (all pinned to a signature) and The reason why i'm constantly bringing up LineageOSThese Numbers: https://www.lineageoslog.com/statistics I think of LineageOS and LineageOS based custom ROMs as "probably a significant part of the Bromite WebView userbase". (Of course, other Projects like OmniROM are probably viable for use with custom webviews as well.) I do this because of the following considerations:
Obviously, any actual user metrics of Bromite WebView itself would be nice. As long as we don't have access to those, i only see that we can run speculations, flip a coin or deprecate anything we can't get an RRO to run on. |
TL;DR:My Especially since i don't see use cases requiring the former, i am convinced that the latter aspect weighs much more. The question boils down to: |
|
And again, what i've said depends on our current know-how about replacing the WebView whitelist. If anyone where to find new and better methods to replace the whitelist on real world devices, the whole argumentation will shift towards a unique package name. Any setup where the whitelist can be overridden can properly be supported by Bromite WebView. |
I thought that you do not need root access if the package is there and without a signature.
Let's ask @thestinger: there is no possibility to install a malicious webview (matching the whitelisted package name) on GrapheneOS without root access, correct?
You forgot to mention that the user must also have root access. What about modding the OS through
I think it's possible to mod any ROM to support other webviews through a custom bootloader; see https://forum.xda-developers.com/showpost.php?s=16f45eae40ceea4635e4433c72137749&p=81313655&postcount=11
Sorry, Bromite is not affiliated to LineageOS.
This makes you biased; kudos for exposing the bias, but I still have to make a choice based on the neutral case e.g. any user using any ROM. |
Correct, and it uses verified boot. The OS is verified from the root of trust. |
This is nonsensical. How exactly is a redundant signature check going to help in any situation? If an attacker has exploited the OS successfully to gain full root access, what's the relevant of this of having a signature hard-wired here? Also, you do understand that GrapheneOS has full verified boot just like the stock OS, right? It is not particularly relevant to this though... |
|
Android uses key pinning for every single app installation. If an app is built into the system image, the key is permanently pinned via the app being built into the system image. It doesn't make sense to talk about an attack where the app is replaced in the system image. An attacker would already need to have gained full root access to remount as writable and modify it. They could also modify the whitelist... how does it make any sense to propose that as an attack vector? Also, it's just going to be detected as tampering by verified on the next boot either way. Verified boot chains trust from the firmware and verifies all of the OS images. Specifying a signature in |
|
I can't think of any case where using |
The only insecure scenario is when there are whitelisted packages and the ROM comes without such packages installed. The previous discussions here on this issue are confusing when they don't explicitly mention this condition. There are a lot of hypothesis cast here; my rationale is more or less: if So @SebiderSushi I think the research can be split into two trunks:
You have already done a lot of investigation, what would make sense to me is to arrange this in some sort of user guide/flow diagram; each step should also be clear about the security implications. |
|
I am aware that the only way to install a webview without breaking the security model is to have it supported at build time. Thus, i am implying unlocked bootloaders (and consequently root/full system access) at all times aince it's the only realistic way to install a custom webview on an end user device without building a full rom to achieve that. |
|
As a consequence i am not talking about any use cases that preserve AVB. I am unaware of any ROM that would bundle Bromite support. That's what i meant when i was saying
At no point did I want to imply any affiliation but without such a thing happening, the only remaining use case is users with unlocked bootloaders patching up their system partitions or installing Magisk Modules or whatever does the job. |
Counterexample:
I can install Bromite WebView by running How would i replace the webview whitelist in this scenario to support a unique package name if patching up |
|
How much effort would it be to compile the Bromite browser with support for being a webview provider as well? |
Kinda pointless as on 10+ browser and webview are separate in upstream chromium |
|
They're not really separate but rather it's split into 3 apks: browser, WebView and a library apk providing most of the code which is shared between them. |
|
The standalone WebView target is perfectly modern and still fully supported. The standalone browser apk targets are not intended for usage on modern devices. If you wanted to avoid having the library split out while still being a modern build, you would need to make a new target. |
For our intents separate packages separate apps, although I am aware of trichrome vs monochrome |
|
We're going to assume trichrome library is available on devices that needs it, and we're only worried about webview and to an extent browser |
|
The library is used by the browser and WebView apks - nothing else. It provides the bulk of the code. |
Well yes what's what I'm saying :) |
My motivation behind that question has beed the following idea: Granted, debugging the standalone webview in parallel to having an upstream chromium webview package installed would still be impossible. As for Trichrome vs. Monochrome: They are just both methods of deduplicating code right? And they are both valid and work, even on android 10+? |
|
No, it's not simply a choice between different ways to share code. |
Trichrome is Android 10+, monochrome is =< 9 |
|
The upstream build system also doesn't define standalone browser targets for modern Android. If you want that, you need to define them yourself, otherwise you'll be deploying builds not fully supporting the modern platform. For the WebView, the standalone WebView target is fully supported across all supported versions. If you want to share the code with the browser, Trichrome is used on Android 10+ and Monochrome for earlier versions (ever since it became supported). Monochrome isn't supported on Android 10+ and Trichrome isn't supported before Android 10. |
|
It's incorrect to use ChromeModernPublic on Android 7+. You need to define your own target for a standalone browser. It will work, but it won't support the modern platform features including security improvements tied to API level. It's similarly incorrect to use Monochrome on Android 10+, and it will not work as a WebView provider at all. It will only provide a working browser with the same issue as ChromeModernPublic, with a less ancient target API level. |
APKs can bundle
@thestinger |
TrichromeLibrary does that with both the native library and other resources. It uses the standard infrastructure for using an apk as a library (which goes beyond just a native library) in a way that's properly authenticated.
@csagan5 There is no modern standalone browser target because Chrome doesn't use it so they haven't defined one. Vanadium uses the Trichrome targets. TrichromeChrome + TrichromeLibrary without shipping TrichromeWebView is the only way to get a modern browser using only the upstream targets. We use the 64_32 version of the targets so that 64-bit is not only supported but also preferred over 32-bit so that all the browser processes run as 64-bit and the WebView renderers run as 64-bit. You would need to create a modern standalone browser target yourself to have it without the TrichromeLibrary split. I'm not sure how many changes there are beyond targetSdkVersion. Using the 64_32 targets is also now the correct way to prefer 64-bit processes and that's part of the Trichrome build infrastructure. You can use Trichrome without the WebView (by just using the browser and library apk) but it's not setup to build it as a single browser apk without the library. |
|
Modern doesn't actually mean modern - it meant modern at the time it existed, compared to the older one. It was replaced by Monochrome and then Trichrome. Chrome is never shipped as a standalone browser without the WebView so there is no upstream target for something they never use. Quite possible to make it but they don't since they have no use for it. |
Bromite builds only the 64-bit version of the APKs so at least on this aspect I think the processes cannot run over 32-bit.
It could be a bloodbath, but I am compelled to try now.
Sure, it would have the benefit to be compatible for both 32-bit and 64-bit architectures.
Yes, I was aware of the relativity of "modern" - but what surprises me from your posts is that there is actually a substantial difference in the security features (and possibly not related to security alone?) when using MonoChrome < Android10 and TriChrome >= Android10. I have always been under the impression that the only advantage was the shared libraries/memory savings in conjunction with a SystemWebView, and nothing else. Would you care to explain those differences, or otherwise point me to some official documentation for me to learn about it? I surely want to tackle this problem once I understand the entity of it. |
I remember a Google groups discussion on trichrome vs monochrome but I can't seem to find it now |
|
@csagan5 As long as targetSdkVersion is set to the proper value (29 for Android 10), it's not nearly as big of an issue as it used to be and I think they've probably changed this part for all the targets now due to the Play Store requirements. |
Ok, thanks for your reply. So I could avoid using TriChrome by simply rebuilding ChromeModernPublic with a different |
|
targetSdkVersion should always be 29 regardless of minSdkVersion. Trichrome has a much higher minSdkVersion and gets to avoid including legacy things and using legacy approaches like the crazy linker. I am not quite sure how to set up a proper truly modern standalone browser target at the moment though. There are a few things that need to be adjusted. |
|
@thestinger I have a question about Trichrome. The instructions here says |
|
You can generate a universal apk from the bundle, or you can generate an apk specialized to the device that you're installing on which is what the Play Store does for developers who give their signing keys to Google. The tool for generating apks (universal or more specialized to devices) is open source (bundletool). I recommend looking at |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
ghost
mentioned this issue
|
Starting from the v97 release the Bromite SystemWebView will have its package name changed to As for stubs: please create a PoC that compiles with gradle or with the Chromium build tools and I will consider it. Thanks for the useful discussions! |
Do you have any idea when m97 will land for you guys? We need to properly implement it in WebView Manager if the package name is going to change. |
|
Thanks for the update! The idea for the stub was to leverage the fact that Thanks for considering. |
Is your feature request related to privacy?
No, but hear me out guys (i swear)
Is there a patch available for this feature somewhere?
No
Describe the solution you would like
A small (<~2MB) stub apk file signed by csagan5 and officially released. This file could be installed to the system or a magisk module folder to obtain the proper privileges and be registered in the system. As soon as the first upgrade is installed, it will bring the full WebView functionality.
This would be useful on devices with limited storage capabilities, especially under /system. For example the Nexus 4 with only 8GB of total internal storage in some devices and no sd card slot.
It should only be necessary to test, build, sign and publish such a stub apk once so the effort might just be worth it.
This would open up the possibility of compiling and publishing a single and concise Recovery flashing zip or Magisk Module (small and which does not access the internet). This could be used for a user-friendly installation, followed by a simple apk installation as done with every upgrade that will follow anyway.
Describe alternatives you have considered
Using a full SystemWebView apk and placing it in the system or magisk module folder.
This uses a mentionable amount of space which serves no more use as soon as an upgrade gets installed.
Installers like a Recovery flashing zip or a magsik module installer would need to either carry a full blown webview apk file for whatever target architecture applicable or access the internet to download them. On arm64 devices where an extracted webview library file needs to be present, such installers might not even install a working webview to begin with. In these cases the webview also just gets usable after the first upgrade or reinstall into the userdata partition.
The text was updated successfully, but these errors were encountered: