Google announced earlier this week plans to enable Safe Browsing support for the Android WebView component, a stripped-down browser that comes with all Android versions.
The Safe Browsing API is a blacklist of malicious links that host malware, phishing pages, or other deceptive sites. Google launched Safe Browsing more than a decade ago, when it integrated the API with Chrome, becoming a staple feature of Google's main browser.
WebView is a core component of the Android ecosystem. Under the hood, WebView is a stripped-down version of the WebKit rendering engine, Google Chrome's former core engine before it was replaced with Blink.
Android uses WebView to render web pages inside other applications. Over the years, WebView has become quite a popular component, as it allows apps to embed web content without sending users to other apps —dedicated browsers. For example, apps like Facebook, Twitter, or Signal, use WebView to view web links or show login pages to authenticate users.
But despite its popularity, WebView doesn't receive the same level of security enhancements as Google Chrome, Firefox, or other pure mobile browsers.
Google, for example, only last year added support for Safe Browsing to work inside WebView. The feature was added in Android Oreo (8.0) but was not turned on by default, as developers specifically had to enable it in each app where they used a WebView component.
This week, Google said that with the release of WebView 66, the Safe Browsing service would be turned on by default in all WebView-capable apps.
"Developers of Android apps using WebView no longer have to make any changes to benefit from this protection," Nate Fischer, a Google Software Engineer, said.
Earlier this month, Google also announced that the upcoming version of the Android P (9.0) operating system would also feature two other major security features. The first is that all apps will have to use TLS to encrypt communications between the smartphone and a remote server, while the second is support for DNS over TLS, a feature that encrypts and hides DNS queries from third-parties that are passively observing network traffic.