|
|
|
|
|
|
by girvo
4576 days ago
|
|
|
Damn I was hoping this bypassed permissions. It can still be dangerous; picture the Facebook app's permission structure, it uses a WebView (or used to anyway, I haven't used Android in a while now). An attacker could send a link that does something useful, or inject JavaScript into a legit page that when viewed in FB's app (coupled with an FB status worm, anyone?) sends messages to premium SMS numbers... the attacker could rack up quite a bit of money. This is dangerous due to applications habit of requesting a lot of permissions, often for use cases that don't need that huge API in particular. The problem is, designing a more fine grained permissions structure that is tractable in terms of UI is a hard problem. This also points out one of the issues of androids lack of vendor supplied updates for anything less than a flagship phone :( Does anyone know if WebView has been decoupled from the base OS in later versions? I know it has been hooked into Chrome now, right, so does that API get updated with Chrome itself? |
|
|
The actual rendering engine change is from a generic WebKit to that of Blink, used in Chromium. Chrome the application is then a rebranded Chromium, which compared to the WebView, has a lot of its own code separate from the WebView.