One, foreword
If you are using Android native (Google Play services), you may have encountered the following red screen security warning when loading certain web pages using WebView.
This is the WebView security protection policy, the default policy in Android 8.0 (API Level 26), is applied to all App webViews.
Google maintains its own list of “unsafe” sites and syncs it to all devices through its Google Play service. It warns users of a “red screen” when visiting sites that have been marked as “unsafe.”
Note that this is the default policy, and although the intention is to protect users, there are times when our own apps need to have autonomy.
Is there a way to turn off this protection in our App? After all, I am the master of my application, and it is up to me to control the security of my application.
In Android 8.0 (API Level 26), we will talk about how to turn off this security policy.
What is WebView security policy
Starting in April 2018, with the release of WebView 66, Google Play protection will start this secure browsing policy in WebView by default.
Android developers can enjoy this protection without making any changes when using WebView. Secure browsing has been integrated into WebView since Android 8.0 and uses the same underlying technology as Chrome on Android.
Once the WebView security mechanism is triggered, a “red screen” warning like the one below appears.
Google maintains its own list of offending sites to ensure that users are warned before they visit them. To synchronize this section of the list, Google goes to great lengths to protect the security of users.
How to control security policies
On Android 8.0 and above, WebView’s secure browsing policy takes effect by default.
That is, if we want to use it, we don’t need to do any extra work, but if we don’t want to use it, we need a way to turn it off.
3.1 How Can I Enable monitoring
WebView security is dependent on Google Play and Chrome updates, which means that even if you’re running Android 8.0, this policy may not work.
So how do you know if this feature works?
WebView provides a method, startSafeBrowsing(), that allows you to start a secure browsing policy. Within the callback, you can know whether the device is ready to startSafeBrowsing.
WebView.startSafeBrowsing(this.object : ValueCallback<Boolean> {
override fun onReceiveValue(value: Boolean?). {
valisOpen = value ? :false
if (isOpen) {
Log.i("cxmy_dev"."Safe browsing. On")
} else {
Log.i("cxmy_dev"."Safe browsing. Off")
}
}
})
Copy the code
Note that the value inside the callback may be null.
3.2 How Do I Disable a Security Policy
The WebView security policy starts by default. If you want to turn it off, you need to use the WebSettings class, which has the setSafeBrowsingEnabled(Boolean) method.
webSettings.safeBrowsingEnabled = false
Copy the code
This approach is a global policy that is either on or off.
3.3 Configuring a Whitelist
Using the setSafeBrowsingEnable() method, you can only do binary Settings, either on or off. What if we wanted to set only certain hosts to be allowed to skip security policy verification?
WebView also provides a setSafeBrowsingWhiteList() method for setting a whitelist of security policies.
var array = ArrayList<String>()
array.add("example.com")
WebView.setSafeBrowsingWhitelist(array, object : ValueCallback<Boolean> {
override fun onReceiveValue(value: Boolean?). {
}
})
Copy the code
The setSafeBrowsingWhiteList() method is flexible and can be configured to specify a domain name and its subnames, or to specify a domain name without its subnames. You can also configure IPV4 and IPV6 IP addresses.
Four, summary moment
Today we are going to talk about how to turn off the secure browsing policy of WebView. This article will only support API Level 27.
Of course, WebView security is necessary, so if your domain is mistaken for a dangerous link by Google, can be unsealed by way of representation, representation address.
Did this article help you? Comments, likes, forwarding is the biggest support, thank you!
references:
protecting-hundreds-of-millions-mores
Webkit-WebView
whitepaper
Public number background reply growth “growth”, will get the learning materials I prepared, can also reply “add group”, learning progress together; You can also reply to “questions” and ask me questions.
Recommended reading:
Do you need to know about a character encoding is here | illustration: HTTP request scope | Java exception handling | android to prevent the user closes the animation in animation failure | | Git retrieving lost code ali’s Alpha boost App start-up speed optimization