tobykurien / WebApps

DEPRECATED ⛔️ Android app to provide sandboxed (private) browsing of webapps
MIT License
235 stars 30 forks source link
android privacy sandboxing webapps

WebApps Sandboxed browser Android app

DEPRECATED - This project is no longer maintained, due to reasons explained in this issue

screenshot 1 screenshot 2 screenshot 3

WebApps allows you to save websites, as if they were apps! It provides a secure way to browse popular webapps by eliminating referrers, 3rd party requests, 3rd party cookies, insecure HTTP requests, etc.

It accomplishes this by providing a sandbox for multiple webapps (like Google's apps, Facebook, Twitter, etc.). Each webapp will run in it's own sandbox, with 3rd party requests (images, scripts, iframes, etc.) blocked, and all external links opening in an external default web browser (which should have cookies, plug-ins, flash, etc. disabled). All HTTP requests are blocked (only HTTPS allowed). This improves security, especially on untrusted networks. In addition, WebApps will warn you if the SSL certificate of the site you're viewing has changed to warn you of a possible man-in-the-middle attack.

For a less security-focussed, but more media-friendly option, try Web Media Share, which is a fork of WebApps with specific focus on viewing and sharing/casting media.

Grab the APK from releases

Features

Cookies

Cookies are stored by Android's CookieManager, of which there is one instance per app. To avoid cookies from passing between sandboxes, the following has been implemented:

In short, there is a strict cookie policy in place that ensures that cookies are correctly sandboxed, and that no 3rd party cookies are saved or sent.

However, it should be noted that there are several techniques for storing unique identifiers, such as evercookie AKA supercookies. Thus, the strongest protection this app provides is the blocking of 3rd party requests, which is why it is important to pick services that use the least amount of 3rd party requests, and try to unblock as few of them as possible. In particular, CDNs and other common 3rd party services such as CloudFlare, JQuery, Google Fonts, Google Analytics, etc. should be blocked as much as possible.

Referer

Referer information is not send on any request (as per default behaviour of Webview), which may lead to problems on some sites, but improves privacy.

Storage

Plugins, and local file access are disabled, however DOM/local storage and app caching is allowed. There is only one cache for all sandboxes to share, so this is potentially a way to leak information between sandboxes.

Location

Since WebApps v3.0, location access has been enabled. WebApps will prompt for location access per web app, the first time the app requests your location. You can then permanently allow or deny location access, with an option to reset the app should you change your mind.

Privacy warnings

WebApps sandboxing is not perfect:

There are probably many more ways to leak identifying data across sites that I am not aware of.

Credits:

Development

Libraries

This project makes use of the following libraries/tools:

NOTE: There are many inter-dependencies between the various library versions, Gradle versions, Gradle plugin versions, Android SDK versions, and the JDK version (which has to be JDK 8 for Android)! Simply upgrading any one of these components is likely to cause a build failure, and this will not be easy to resolve.

Build and run

To run a debug build of this project:

VSCode

The easiest (although not the nicest) way to make changes to this app is to use VSCode and an Xtend plugin. While you get basic syntax highlighting, you will get no code completion/intellisense/code navigation/Java docs/etc. It is a basic text editor. On the plus side, setup is very easy, and it is light on RAM (can work on a machine with only 4Gb RAM).

You can run ./debug.sh after a code change to compile and run the app on an attached device. This is how this project is currently being maintained.

Eclipse

Eclipse is the best development environment for this project, because it makes use of Xtend lang that is only supported in Eclipse. In order to develop in Eclipse:

Android Studio

Development in Android Studio is not supported any longer, as the Xtend plugin for IntelliJ (https://plugins.jetbrains.com/plugin/8073-xtend-support) is not maintained.