Can e/ consider to change the webview for having a more secure one?

I suggest taking a look at this first…

Installing SystemWebView · bromite/bromite Wiki · GitHub

Back in the day, before the package name change, we would try to get Bromite webview working on OEM stock ROMs. Whereas all custom ROMs use/supoort com.android.webview, stock ROMs did not. Only Google’s webview and Chrome products.
After going through the steps we’d cross our fingers and hope the ROM would boot. Usually not due to signature issues.

Fast forward to current time. Bromite’s webview is now org.bromite.webview. To use that one has to hope that custom ROMs today have added support for it. LineageOS in this case.
One can either go through the steps to find out (or search around to see if that’s the case) or just use the standard Chromium webview (com.android.webview) and not worry about the framework procedure.

Chromium webview is available for regular updates via F-Droid, using Bromite repo, so that’s cool.
You can get the Chromium webview from here…

Chromium releases | Bromite - take back your browser

EDIT: Even though I have Magisk and could’ve just used the WebView Manager module, I decided to mess around and use the NanoDroid Bromite WebView package. It didn’t go as easy for me as it did for @Matias_Javier . The /e/ BrowserWebView was still in play but I eventually fixed things. Now the Teracube has the latest webview.
YMMV.

1 Like

Then there’s the other issue. Does one want just an updated webview or one with some privacy related patches.
Example is with WebRTC IP leaks.

I have a ROM that I wanted to set up in a different way, with no Firefox or Chromium-based browsers. Rooted but not with Magisk. One browser used is Fulguris. It has a WebRTC toggle which I turn off.
In a test I see the public and local IP addresses are present. An issue has been opened on their github by the dev himself. Since the webview may be (part of) the reason I tested the browser on four devices.

Two with Chromium/vanilla webview exposed the IPs, local and public. One with Bromite webview and the other with /e/'s webview did mot expose any IPs.
When I switched one of the first two to VPN over Tor then the public IP was not shown but the local IP was.

That’s just one example.
Still, none of us should have to jump through hoops or risk screwing up our systems to “fix” such an important part of the system.

Thanks @marcdw, I have followed your suggest… and the other link; I have already added this repository in F-Droid some weeks ago.

But, in the end, I agreed with you:

and so I’ll wait for a system solution. Thank you again.

1 Like

Is GeckoView can be an alternative/solution ?

GeckoView is not a system WebView provider.

It would technically be possible, but would require an extensive amount of work to actually make available all the necessary calls.

1 Like

Why not just use FireFox? Would broaden the appeal as well. Its important to remember, that if /e/ is to succeed, it cant be only for the tech savvy. When there are non-gogol mainstream alternatives, why not go for them?

@Macrophag You can’t replace the system WebView with Firefox.

btw another zero-day for Chromium was just announced, /e/OS WebView/browser known security vuln count is up to 274: https://divestos.org/misc/ch-dates.txt

3 Likes

Okay Ladies and Gentlemen, I just came across a method to get Bromite Webview unto the system without Magisk or the framework-res editing craziness.

[GUIDE]How to install Bromite SystemWebView without Magisk (Android 12+ included) | XDA Forums

Historically speaking I was never a fan of Magisk for a number of reasons. Didn’t start using it until /e/OS Pie on the Essential PH-1. Lineage SU was insufficient on a system-as-root setup (would not work with AdAway or Substratum for instance). With Pie and above, if one wanted root, Magisk was pretty much the only game in town.

On my Moto devices, where I was still multibooting, Magisk was definitely a no-go. When Bromite Webview changed package names I could only now use the updated vanilla/chromium webview. As mentioned earlier, we get WebRTC leaks and whatnot.

So I tried method 1 on crDroid Oreo, Moto G5s Plus sanders, non A/B SAR device. Has TWRP so adb wasn’t necessary. Flashing the zip didn’t work. No errors but I believe the zip expects system-as-root, treble compatible setup or something. The apk didn’t get installed to /vendor/overlay/.
Method 2, on the other hand, was a success. Manually placed the apk to the overlay location, bromite webview already installed as a user app. Now developer options showed both webviews. Selected Bromite and did WebRTC check. No leaks.

There you go, another way to possibly get Bromite WebView onto one’s system.

3 Likes

Thank you @marcdw.
I have a FP4, without root, so I think I can only wait this:

:crossed_fingers:

As far as I see, the second method uses Rooted Debugging. This isn’t plain root, it’s a switch in the Developer options which enables ADB to work as root if wanted or needed.
Not every /e/OS build might support Rooted Debugging, though, I’m not sure about the current status.

1 Like

Thank you for exaplaine for me. I did not understand and because of this I did not follow the link of @marcdw post. I have ADB root so I will try method 2 step by step.

Tried:
1 “Enable Rooted debugging by navigating to *Settings > Developer options > Rooted debugging.”
2 “Connect your phone to your PC and type”
then, after “adb root”, stop at:
3 “Mount the vendor folder: adb shell mount -o rw,remount /vendor”
with this message: “mount: ‘/dev/block/dm-11’->’/vendor’: I/O error”
:slightly_frowning_face:

Can you access or list the contents of /system/vendor/? If so you can try and use that location.
On my old device I believe /vendor is a symlink to /system/vendor (??).

1 Like

Hi @marcdw
I just look at the contents of system/vendor, there’s a link to vendor, not the opposite:

FP4:/system # ls -l
total 88
drwxr-xr-x  2 root root   4096 2009-01-01 01:00 addon.d
drwxr-xr-x  2 root root   4096 2009-01-01 01:00 apex
drwxr-xr-x 45 root root   4096 2009-01-01 01:00 app
drwxr-x--x  4 root shell  8192 2009-01-01 01:00 bin
-rw-------  1 root root   6297 2009-01-01 01:00 build.prop
drwxr-xr-x 17 root root   4096 2009-01-01 01:00 etc
drwxr-xr-x  2 root root   8192 2009-01-01 01:00 fonts
drwxr-xr-x  5 root root   4096 2009-01-01 01:00 framework
drwxr-xr-x  5 root root  12288 2009-01-01 01:00 lib
drwxr-xr-x  5 root root  20480 2009-01-01 01:00 lib64
drwxr-xr-x 45 root root   4096 2009-01-01 01:00 priv-app
lrw-r--r--  1 root root      8 2009-01-01 01:00 product -> /product
lrw-r--r--  1 root root     11 2009-01-01 01:00 system_ext -> /system_ext
drwxr-xr-x  7 root root   4096 2009-01-01 01:00 usr
lrw-r--r--  1 root root      7 2009-01-01 01:00 vendor -> /vendor

Tried also the first method (sideload Bromite flashable .zip), this the result:

adb sideload BromiteSystemWebViewOverlay.zip
adb: sideload connection failed: closed
adb: trying pre-KitKat sideload method...
adb: pre-KitKat sideload connection failed: closed

I will wait: stay with @gael new WebView is cooming soon.
Thank you and @AnotherElk for the attention.

I believe I see that kind of adb errors when sideloading (apply update?) was not started on the recovery side.
Maybe.

1 Like

Since a few days, my bank app tells me to install uptodate webview, and refuses to work.

Another issue with the webview is that it does not support css rotate property. Not dangerous, just not-so-good.

Small subsidiary question, what about the Webview update? Does anyone have any information on this subject?

in /e/ 1.7 or 1.8 it received the 108.0.5359 update, check the ch-dates.txt posted up the thread, it has the current state. /e/ lags a bit, but not as outrageously as before. With a better build pipeline chances are it will not lag as gravely as before (it should be a checklist item on every release). To keep an eye on things is looking at browser repo commits and the apk lfs repo when the resulting build is incorporated. The updating brought some issues with banking sites along but were fixed in 1.9. For 1.10 there are some string changes again, but no Chrome/Bromite version rebase. This is a sports report.

4 Likes

Thank you for those infos :slight_smile: