The mess meets Android

David Ludovino, The Chromium mess meets Android Jeremy Rand Proposals on how to get a fully free WebView build or replace it with something What is completely new WebView? Which apps use it? What’s underneath it? ∗ What’s the David Ludovino Jeremy Rand matter with Chromium?

WebView and Replicant Replicant

Chromium forks Desktop Chromium Android Chromium Stepwise cleansing

GeckoView shim Mapping WebView to GeckoView

GeckoView on apps ∗with support from Andr´esD and Kurtis Hanna Feedback? The Chromium mess meets Android What is WebView?

David Ludovino, Jeremy Rand Renders web content (HTML, CSS, JavaScript) What is WebView? inside apps. Which apps use it? What’s underneath it? API has been around since Android 1. What’s the matter with Chromium? public class MainActivity extends Activity { WebView and @Override Replicant protected void onCreate(Bundle state) { Chromium super.onCreate(state); forks WebView v = new WebView(this); Desktop Chromium setContentView(v); Android Chromium Stepwise cleansing v. loadUrl ("://replicant.us"); } GeckoView shim } Mapping WebView to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Which apps use WebView? David Apps that render HTML: email clients, RSS readers, etc. Ludovino, Jeremy Rand Became pervasive with the advent of cross-platform mobile frameworks. What is WebView? Which apps use it? What’s underneath Half of the apps listed at PRISM Break depend on WebView it?

What’s the uses WebView does not use WebView matter with Chromium?

WebView and Replicant K-9 Mail OsmAnd Nextcloud Tiny Tiny Orbot F-Droid andOTP Shaarlier RSS Chromium forks Desktop Chromium Android Chromium Stepwise cleansing wallabag OpenKey- EteSync Syncthing Conversa- Silence App KeePass Jami chain tions DX GeckoView shim Mapping WebView to GeckoView

GeckoView on dande- Nomad Tusky Movim Bitmask - Fennec Thorium apps lion* guard F-Droid Browser

Feedback? The Chromium mess meets Android What is underneath WebView?

David Ludovino, Jeremy Rand

What is WebView? Which apps use it? What’s underneath it? WebKit until Android 4.3 Jelly Bean (API 18). What’s the matter with Chromium?

WebView and Replicant

Chromium forks Desktop Chromium Android Chromium Chromium from Android 4.4 KitKat (API 19) onwards. Stepwise cleansing

GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? Security issues: • Prevents users from escaping the certificate authority system for TLS.

Freedom issues: • Pre-built binaries throughout the code base. • Missing license in some source files.

Verdict: unfit for fully free-software distributions.

The Chromium mess meets Android What’s the matter with Chromium?

David Ludovino, Privacy issues: Jeremy Rand • Background requests to during build and run. What is WebView? • Depends on Google services for several features (e.g. Safe Browsing). Which apps use it? What’s underneath • it? Limited privacy controls. What’s the • API prevents extensions from blocking ads. matter with Chromium?

WebView and Replicant

Chromium forks Desktop Chromium Android Chromium Stepwise cleansing

GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? Freedom issues: • Pre-built binaries throughout the code base. • Missing license in some source files.

Verdict: unfit for fully free-software distributions.

The Chromium mess meets Android What’s the matter with Chromium?

David Ludovino, Privacy issues: Jeremy Rand • Background requests to Google during build and run. What is WebView? • Depends on Google services for several features (e.g. Safe Browsing). Which apps use it? What’s underneath • it? Limited privacy controls. What’s the • API prevents extensions from blocking ads. matter with Chromium?

WebView and Security issues: Replicant • Prevents users from escaping the certificate authority system for TLS. Chromium forks Desktop Chromium Android Chromium Stepwise cleansing

GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? Verdict: unfit for fully free-software distributions.

The Chromium mess meets Android What’s the matter with Chromium?

David Ludovino, Privacy issues: Jeremy Rand • Background requests to Google during build and run. What is WebView? • Depends on Google services for several features (e.g. Safe Browsing). Which apps use it? What’s underneath • it? Limited privacy controls. What’s the • API prevents extensions from blocking ads. matter with Chromium?

WebView and Security issues: Replicant • Prevents users from escaping the certificate authority system for TLS. Chromium forks Desktop Chromium Freedom issues: Android Chromium Stepwise cleansing • Pre-built binaries throughout the code base. GeckoView shim • Missing license in some source files. Mapping WebView to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android What’s the matter with Chromium?

David Ludovino, Privacy issues: Jeremy Rand • Background requests to Google during build and run. What is WebView? • Depends on Google services for several features (e.g. Safe Browsing). Which apps use it? What’s underneath • it? Limited privacy controls. What’s the • API prevents extensions from blocking ads. matter with Chromium?

WebView and Security issues: Replicant • Prevents users from escaping the certificate authority system for TLS. Chromium forks Desktop Chromium Freedom issues: Android Chromium Stepwise cleansing • Pre-built binaries throughout the code base. GeckoView shim • Missing license in some source files. Mapping WebView to GeckoView

GeckoView on Verdict: unfit for fully free-software distributions. apps

Feedback? The Chromium mess meets Android WebView and Replicant

David Ludovino, Jeremy Rand

What is Replicant: WebView? Which apps use it? • Android distribution What’s underneath it? • compliant with GNU Free System Distribution Guidelines (FSDG) What’s the matter with Chromium?

WebView and Replicant Using outdated WebView based on Chromium 43: lots of security concerns. Chromium forks Desktop Chromium Android Chromium Stepwise cleansing How to create a WebView build that respects user’s privacy and freedom? GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Desktop Chromium forks

David Ludovino, Jeremy Rand

What is • ungoogled-chromium: aligned with privacy and freedom WebView? Which apps use it? What’s underneath it? • Bromite: can build WebView; only focused on privacy and ad blocking What’s the matter with Chromium? • : replaces pre-builts with system libs; Google services not removed WebView and Replicant

Chromium • Iridium: one step on every direction; not as thorough as others forks Desktop Chromium Android Chromium Stepwise cleansing

GeckoView Guix, a FSDG compliant distro, uses: shim ungoogled-chromium + build recipe that removes some files. Mapping WebView to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Android Chromium forks

David Ludovino, Jeremy Rand

What is WebView? Android builds require many more pre-builts and proprietary dependencies. Which apps use it? E.g.: Google Mobile Services (GMS) What’s underneath it?

What’s the matter with Chromium? • ungoogled-chromium-android: ungoogled-chromium + Android specific WebView and Replicant patches; has some remaining pre-builts

Chromium forks Desktop Chromium • Unobtainium: aimed to be built within F-Droid (forbids pre-builts); Android Chromium Stepwise cleansing project is unmaintained

GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Android Chromium forks David strings classes.dex | grep google Ludovino, Jeremy Rand Chromium 78 WebView - 227 lines . You must have the following declaration within the : What is WebView? Google Inc .1 Google Inc .1 Which apps use it? Google Inc .1 What’s underneath A required meta-data tag in your app’s AndroidManifest. does not exist. it? You must have the following declaration within the element: RCompositeGoogle ApiClient should not be used without any that require sign-in. What’s the OConnection timed out while waiting for services update to complete. matter with +Failed to connect to : -Failed to get Google certificates from remote Chromium? Google Play Services "Google Play Services not available WebView and Google Play Store is missing. $Google Play Store signature invalid. Replicant 0Google Play services is invalid. Cannot recover. Google Play services is missing. Chromium ;Google Play services missing when getting application info. ,Google Play services out of date. Requires forks ’Google Play services signature invalid. Desktop Chromium Google ApiActivity Google ApiAvailability Android Chromium &Google ApiClient connecting is in step Stepwise cleansing )Google ApiClient is not configured to use HGoogle ApiClient is not configured to use the API required for this call. GeckoView Google ApiClient is not configured to use the LocationServices.API Api. Pass thisinto Google ApiClient.Builder#addApi() to use this feature. %Google ApiClient is not connected yet. shim Google ApiClient must not be null Mapping WebView &Google ApiClient parameter is required. to GeckoView Google ApiClient received too many callbacks for the given step. Clients may be in an unexpected state; Google ApiClient will disconnect. Google ApiClientConnecting Google ApiClientImpl GeckoView on Google ApiHandler apps Google ApiManager Google Certificates /Google Certificates has been initialized already Feedback? Google PlayServicesErrorDialog Google PlayServicesUtil Google SignatureVerifier

David Ludovino, Jeremy Rand strings classes.dex | grep google

What is WebView? ungoogled-chromium-android 77 WebView - 10 lines Which apps use it? What’s underneath OMX.google . it? OMX.google .raw.decoder com .google . What’s the . com .google .android.apps.chrome.extra.cpu_count matter with 1 com .google .android.apps.chrome.extra.cpu_features com .google .android.gms Chromium? Ccom .google .devtools.build.android.desugar.runtime.twr_disable_mimic com .google .protobuf.Extension WebView and % com .google .protobuf.ExtensionRegistry dns .google Replicant

Chromium forks Desktop Chromium Replicant 6 WebView - 7 lines Android Chromium 1 com .google .android.apps.chrome.extra.command_line Stepwise cleansing . com .google .android.apps.chrome.extra.cpu_count 1 com .google .android.apps.chrome.extra.cpu_features GeckoView / com .google .android.apps.chrome.extra.extraFile_ shim ’com .google . android .google quicksearchbox com .google .android.webview Mapping WebView %content://com.google .settings/partner to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Approach #1: Stepwise cleansing

David Ludovino, Jeremy Rand Still no 100% free-software WebView apk void of privacy concerns.

What is WebView? Tentative approach: Which apps use it? What’s underneath it? 1 Start with Guix’s source code for ungoogled-chromium. What’s the matter with 2 Run ’s license check script on it. Chromium? 3 Check if original Chromium bug about licensing still applies (was mostly WebView and Replicant related to third-party code). Chromium forks 4 Try to build WebView (will probably fail). Desktop Chromium Android Chromium 5 Cherry pick patches from ungoogled-chromium-android and Unobtainium. Stepwise cleansing 6 GeckoView Build everything in fdroid-server (picks leftover pre-builts). shim Mapping WebView 7 Send recipe for peer-review at GNU--libre. to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Approach #2: WebView API compatibility shim David for GeckoView Ludovino, Jeremy Rand

What is WebView? Which apps use it? Chromium fork requires constant maintenance burden. What’s underneath it? Google’s interests do not align with ours. Check Mozilla. What’s the matter with Chromium? WebView and GeckoView: Replicant

Chromium • Java wrapper for Gecko browser engine. forks Desktop Chromium • Used in Android apps as replacement for WebView. Android Chromium Stepwise cleansing • API is incompatible with WebView: not meant to be a drop-in. GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? • Others require emulation. WebView GeckoView getTitle() GeckoSession.HistoryDelegate.HistoryItem.getTitle() pageDown() PanZoomController.scrollBy(width,height)

• Others require more features from Gecko to be exposed via GeckoView, e.g. zoomIn().

• Others still, added on latest Android APIs (26-29), seem too tied to Chromium, e.g. getWebViewLooper(), getWebChromeClient(), getWebViewClient().

The Chromium mess meets Android Mapping WebView to GeckoView David • Some functions have a 1:1 mapping. Ludovino, Jeremy Rand WebView GeckoView goBack(), goForward() GeckoSession.NavigationDelegate What is WebView? loadUrl() GeckoSession.loadUri() Which apps use it? stopLoading() GeckoSession.stop() What’s underneath it?

What’s the matter with Chromium?

WebView and Replicant

Chromium forks Desktop Chromium Android Chromium Stepwise cleansing

GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? • Others require more features from Gecko to be exposed via GeckoView, e.g. zoomIn().

• Others still, added on latest Android APIs (26-29), seem too tied to Chromium, e.g. getWebViewLooper(), getWebChromeClient(), getWebViewClient().

The Chromium mess meets Android Mapping WebView to GeckoView David • Some functions have a 1:1 mapping. Ludovino, Jeremy Rand WebView GeckoView goBack(), goForward() GeckoSession.NavigationDelegate What is WebView? loadUrl() GeckoSession.loadUri() Which apps use it? stopLoading() GeckoSession.stop() What’s underneath it? What’s the • Others require emulation. matter with Chromium? WebView GeckoView WebView and getTitle() GeckoSession.HistoryDelegate.HistoryItem.getTitle() Replicant pageDown() PanZoomController.scrollBy(width,height) Chromium forks Desktop Chromium Android Chromium Stepwise cleansing

GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? • Others still, added on latest Android APIs (26-29), seem too tied to Chromium, e.g. getWebViewLooper(), getWebChromeClient(), getWebViewClient().

The Chromium mess meets Android Mapping WebView to GeckoView David • Some functions have a 1:1 mapping. Ludovino, Jeremy Rand WebView GeckoView goBack(), goForward() GeckoSession.NavigationDelegate What is WebView? loadUrl() GeckoSession.loadUri() Which apps use it? stopLoading() GeckoSession.stop() What’s underneath it? What’s the • Others require emulation. matter with Chromium? WebView GeckoView WebView and getTitle() GeckoSession.HistoryDelegate.HistoryItem.getTitle() Replicant pageDown() PanZoomController.scrollBy(width,height) Chromium forks Desktop Chromium • Others require more features from Gecko to be exposed via GeckoView, e.g. Android Chromium Stepwise cleansing zoomIn(). GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Mapping WebView to GeckoView David • Some functions have a 1:1 mapping. Ludovino, Jeremy Rand WebView GeckoView goBack(), goForward() GeckoSession.NavigationDelegate What is WebView? loadUrl() GeckoSession.loadUri() Which apps use it? stopLoading() GeckoSession.stop() What’s underneath it? What’s the • Others require emulation. matter with Chromium? WebView GeckoView WebView and getTitle() GeckoSession.HistoryDelegate.HistoryItem.getTitle() Replicant pageDown() PanZoomController.scrollBy(width,height) Chromium forks Desktop Chromium • Others require more features from Gecko to be exposed via GeckoView, e.g. Android Chromium Stepwise cleansing zoomIn(). GeckoView shim Mapping WebView • Others still, added on latest Android APIs (26-29), seem too tied to to GeckoView Chromium, e.g. getWebViewLooper(), getWebChromeClient(), GeckoView on apps getWebViewClient(). Feedback? The Chromium mess meets Android Mapping WebView to GeckoView

David Ludovino, Jeremy Rand

What is WebView? Which apps use it? Requires a considerable effort. What’s underneath it?

What’s the matter with Can pay off in the long-term: no need to constantly scout for proprietary Chromium? dependencies and privacy issues. WebView and Replicant

Chromium Burden may be lessened by collaborations, e.g., qt5-webengine replacement with forks Gecko underneath. Desktop Chromium Android Chromium Stepwise cleansing

GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Approach #3: GeckoView on apps

David Ludovino, Jeremy Rand

What is WebView? Which apps use it? What’s underneath it? Fork apps to use GeckoView instead of WebView. What’s the matter with Chromium? Impossible for the small Replicant team to maintain. WebView and Replicant Would only work if app maintainers perceive GeckoView as a better alternative. Chromium forks Desktop Chromium Android Chromium Stepwise cleansing

GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Feedback?

David Ludovino, Jeremy Rand

What is WebView? • Questions Which apps use it? What’s underneath it? • Comments What’s the matter with Chromium? • Ideas WebView and Replicant • Collaboration Chromium forks Desktop Chromium Android Chromium Stepwise cleansing All welcomed! GeckoView shim Mapping WebView to GeckoView

GeckoView on apps

Feedback? The Chromium mess meets Android Licenses (I)

David item source license Ludovino, K-9 Mail logo https://github.com/k9mail/k-9 Apache-2.0 Jeremy Rand OsmAnd logo https://github.com/osmandapp/Osmand CC-BY-NC-ND 4.0 Nextcloud logo https://github.com/nextcloud/android AGPLv3 What is Tiny Tiny RSS logo https://gitlab.com/derSchabi/tttrsss GPLv3 WebView? Which apps use it? I2P logo https://github.com/i2p/i2p.android.base Apache-2.0 What’s underneath Orbot logo https://gitweb.torproject.org/orbot.git BSD it? F-Droid logo https://gitlab.com/fdroid/fdroidclient GPLv3 What’s the andOTP logo https://github.com/andOTP/andOTP MIT matter with Chromium? Shaarlier logo https://github.com/dimtion/Shaarlier GPLv3 wallabag logo https://github.com/wallabag/android-app GPLv3 WebView and OpenKeychain logo https://github.com/open-keychain/open-keychain GPLv3 Replicant EteSync logo https://github.com/etesync/android GPLv3 Chromium Syncthing logo https://github.com/syncthing/syncthing-android MPLv2 forks Briar logo GPLv3 Desktop Chromium https://code.briarproject.org/briar/briar Android Chromium Conversations logo https://github.com/siacs/Conversations GPLv3 Stepwise cleansing Signal logo https://github.com/signalapp/Signal-Android GPLv3 GeckoView Silence logo https://git.silence.dev/Silence/Silence-Android GPLv3 shim Tinc App logo https://github.com/pacien/tincapp GPLv3 Mapping WebView to GeckoView KeePass DX logo https://github.com/Kunzisoft/KeePassDX GPLv3 dandelion* logo https://github.com/gsantner/dandelion GPLv3 GeckoView on apps Nomad logo https://framagit.org/disroot/AndHub GPLv3

Feedback? The Chromium mess meets Android Licenses (II)

David Ludovino, item source license Jeremy Rand Tusky logo https://github.com/tuskyapp/Tusky GPLv3 Movim logo https://github.com/movim/movim_android AGPLv3 What is WebView? Jami logo https://git.jami.net/savoirfairelinux/ring-client-android GPLv3 Which apps use it? Bitmask logo https://0xacab.org/leap/bitmask_android GPLv3 What’s underneath WireGuard logo https://git.zx2c4.com/wireguard-android Apache-2.0 it? Fennec logo https://hg.mozilla.org/releases/mozilla-esr68 MPL-2.0 What’s the Tor Browser logo https://gitweb.torproject.org/tor-browser.git MPL-2.0 matter with Chromium? Thorium logo https://github.com/sschueller/peertube-android AGPLv3 WebKit logo https://en.wikipedia.org/wiki/File:WebKit_logo_(2015).svg non-free WebView and Replicant Chromium logo https://commons.wikimedia.org/wiki/File:Chromium_11_Logo.svg CC-BY 2.5 Replicant logo https://redmine.replicant.us/projects/replicant/wiki/Artwork CC-BY-SA 3.0 Chromium forks Guix logo https://git.savannah.gnu.org/cgit/guix/guix-artwork.git/ CC-BY-SA 4.0 Desktop Chromium Bromite logo https://github.com/bromite/bromite.github.io GPLv3 Android Chromium Iridium logo https://github.com/iridium-browser/artwork non-free Stepwise cleansing Debian logo https://www.debian.org/logos/ CC-BY-SA 3.0 GeckoView Unobtainium logo https://gitlab.com/thermatk/Unobtainium BSD shim GeckoView logo https://github.com/mozilla/geckoview non-free Mapping WebView to GeckoView everything else this slideshow CC BY-SA 4.0

GeckoView on apps

Feedback?