If you *don't* see that, you're dealing with a WebView -- which is the app doing a *very bad thing*. What's the difference? Buckle up, this gets slightly technical. WebView is a system component of Android. These days, it auto-updates, but didn't always do so.
-
Show this thread
-
WebViews were designed for loading content *from the app* into the app. That is, stuff it trusts. The threat model both from security and privacy is pretty straightforward. Things get funky when you load stuff from other parties.
2 replies 2 retweets 8 likesShow this thread -
Browsers, on the other hand, are designed to update outside the OS update cycle and fundamentally mistrust content -- they're the *user's* agent, rather than an app component.
1 reply 1 retweet 9 likesShow this thread -
This difference runs deep, but the most important thing to understand is that users choose browsers. That's an intentional preference that should mean something.
1 reply 1 retweet 10 likesShow this thread -
When apps use CCT to load third-party content, they are _respecting user choice_. But they're also practicing security hygiene and acting as good web citizens. Why? First, WebView puts the problem of loading content onto the app. This means that apps *incidentally* see plaintext
1 reply 1 retweet 5 likesShow this thread -
CCT invocation, on the other hand, delegates this problem to the user's default browser. And browsers spend a _lot_ of time and effort getting transport security and UI indicators about safety right. Now, OS vendors realized that this was happening and have responded (a bit).
2 replies 1 retweet 9 likesShow this thread -
Modern WebView on Android is powered by an auto-updating Chrome. But that still leaves ~8% of devices without up-to-date WebView runtimes:https://developer.android.com/about/dashboards/ …
1 reply 2 retweets 7 likesShow this thread -
...for context, that's almost half the number of people with iPhones. The scale of Android is mind-boggling. But even with auto-updating WebView handling (some of) the security aspects, the privacy issue remains. WebViews aren't browsers.
1 reply 1 retweet 10 likesShow this thread -
Installing a different browser as your default on the system doesn't change the app's WebView implementation. Sure, they can bring their own (super common in CN), but user choice and privacy is undermined. The app *still gets to see everything you do in the WebView*.
4 replies 2 retweets 10 likesShow this thread -
Replying to @slightlylate
Is it possible to disable web-views from accessing 3rd party content?
2 replies 0 retweets 2 likes
Sadly, no. I suspect the correct answer will be app store policy disallowing IABs that aren't CCT/SVC.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.