Posted by the Android workforce
Android WebView is a strong and versatile API that Android builders can use to embed media of their apps, and regularly bettering its safety and privateness protections is a prime precedence for our workforce. For instance, embedded media suppliers ought to be capable of confirm that their media is taking part in in a trusted and protected setting. Android app builders and SDK suppliers have already got options for this, together with attestation companies just like the Play Integrity API and Firebase App Examine, which protect consumer privateness whereas enabling builders to confirm their apps’ server requests. Right this moment, app builders are capable of cross info from these attestation companies to embedded content material suppliers; nonetheless, the present course of is neither easy nor scalable. That’s why we’re piloting an experimental Android WebView Media Integrity API with choose embedded media suppliers early subsequent 12 months.
How does this relate to the Internet Surroundings Integrity API proposal?
We’ve heard your suggestions, and the Internet Surroundings Integrity proposal is not being thought-about by the Chrome workforce. In distinction, the Android WebView Media Integrity API is narrowly scoped, and solely targets WebViews embedded in apps. It merely extends current performance on Android gadgets which have Google Cellular Companies (GMS) and there are not any plans to supply it past embedded media, equivalent to streaming video and audio, or past Android WebViews.
What’s the problem with Android WebViews?
The Android WebView API lets app builders show internet pages which embed media, with elevated management over the UI and superior configuration choices to permit a seamless integration within the app. This brings quite a lot of flexibility, however it may be used as a way for fraud and abuse, as a result of it permits app builders to entry internet content material, and intercept or modify consumer interactions with it. Whereas this has its advantages when apps embed their very own internet content material, it doesn’t prohibit dangerous actors from modifying content material and, by proxy, misrepresenting its supply.
What performance are we bringing to embedded Android WebView media?
The brand new Android WebView Media Integrity API will give embedded media suppliers entry to a tailor-made integrity response that comprises a tool and app integrity verdict in order that they’ll guarantee their streams are operating in a protected and trusted setting, no matter which app retailer the embedding app was put in from. These verdicts are easy, low entropy metadata concerning the app and machine and don’t include any consumer or machine identifiers. In contrast to apps and video games utilizing Play Integrity API, media suppliers is not going to acquire the app’s Play licensing standing and apps may even be capable of exclude their package deal identify from the decision in the event that they select. Our objective for the API is to assist maintain a thriving and various ecosystem of media content material in Android apps, and we’re inviting media content material suppliers to categorical curiosity in becoming a member of an early entry program early subsequent 12 months.