I have realized a number of potentially problematic issues which I want to have an open conversation with you about to find out if there is merit to these concerns.
As you know, system web view (SWV - vanadium) is available to all apps and can't be disabled. This means that an app can call the SWV and either load a remote script to fingerprint the browser or load a local script in SWV and get a fingerprint of SWV. My guess is that it can do this in the background without the user even seeing anything (while app is in use).
If the apps has no network access, Can the app use SWV to "send" data (requests with parameters, xhr, etc)?
I tried testing this using obtanium. I tried blocking SWV from internet access in GoS, But I noticed SWV already had no network permission. I set network permission to on, and then off to be sure. Then I tested the app. the first click on an item would not load its GitHub page, but the second try on same item would. So I had gained access to the page through SWV even though SWV was given no network access.
Just to be safe, I erased all cache from SWV, and also erased all web history and cache from vanadium as well and blocked vanadium from internet as well. So now both vanadium and SWV are network blocked (using system setting), while obtanuim has internet access. I then completely disabled vanadium in app settings. Then I loaded obtanium and tried again, I was able to load GitHub pages in obtanium again.
Next I erased all cache for SWV again and I disabled network access for obtanium too. Pages couldn't load this time. SWV seemed to still be loading in the background but was getting a "no internet" error page and I was getting "address not resolved" error in foreground in obtanium.
This is not a very decisive test as obtanium may not be the best tool for testing this. But this test demonstrated that the network block for obtanium also blocked SWV access. However, I am not so convinced that this can be trusted.
There is a few issues here:
- Does blocking network access "reliably" prevent an app from accessing the net through webview?
- If I need an apps to HAVE internet access but not be able to access SWV there is no way to achieve this. SWV can't be disabled.
- This is potentially a serious concern for profiles that have Google components installed (GSF, Photos, Google Camera), because even if they have internet blocked they may be able to communicate to the internet using webview. and could submit sensitive data (facial biometric data from photos, SWV fingerprint) to the internet. Or can they?
What is your understanding on this issue?