tobykurien/WebApps tobykurien/WebApps

  • Stars
    star
    229
  • Rank 168,618 (Top 4 %)
  • Language Xtend
  • License
    MIT License
  • Created over 10 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
tobykurien/WebApps
github

tobykurien

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DEPRECATED ⛔️ Android app to provide sandboxed (private) browsing of webapps

WebApps Sandboxed browser Android app

DEPRECATED - This project is no longer maintained, due to reasons explained in this issue

screenshot 1 screenshot 2 screenshot 3

WebApps allows you to save websites, as if they were apps! It provides a secure way to browse popular webapps by eliminating referrers, 3rd party requests, 3rd party cookies, insecure HTTP requests, etc.

It accomplishes this by providing a sandbox for multiple webapps (like Google's apps, Facebook, Twitter, etc.). Each webapp will run in it's own sandbox, with 3rd party requests (images, scripts, iframes, etc.) blocked, and all external links opening in an external default web browser (which should have cookies, plug-ins, flash, etc. disabled). All HTTP requests are blocked (only HTTPS allowed). This improves security, especially on untrusted networks. In addition, WebApps will warn you if the SSL certificate of the site you're viewing has changed to warn you of a possible man-in-the-middle attack.

For a less security-focussed, but more media-friendly option, try Web Media Share, which is a fork of WebApps with specific focus on viewing and sharing/casting media.

Grab the APK from releases

Features

  • Works like Mozilla Prism on the desktop. This is a mostly chrome-less browser that gets out of your way.
  • Completely full-screen browsing (auto-hiding actionbar)
  • Securely browse mobile sites (uses HTTPS only)
  • Blocks 3rd party requests (images/scripts/iframes) like the NoScript, NotScripts, uMatrix, uBlock Origin plugins on the desktop
  • Allows self-signed SSL certificates to be saved
  • Warns if server SSL certificate changes (e.g. during man-in-the-middle-attack)
  • User agent and text size setting (per site) allows more rich mobile experience (depending on site)
  • External links (outside the domain of the site visited) open in your default browser
  • Long-press links to choose how to open them
  • Create shortcuts to your webapps on the homescreen
  • Uses much less bandwidth than native apps (like Google+ app). No background sync'ing.
  • Features local data storage and caching for reduced bandwidth usage and better speed.
  • Fully open source software.

Cookies

Cookies are stored by Android's CookieManager, of which there is one instance per app. To avoid cookies from passing between sandboxes, the following has been implemented:

  • All cookies in the CookieManager are deleted when opening a URL or web app.
  • For saved web apps, the saved cookies are restored, and the app opened.
  • Cookies are only saved for the root domain of the saved web app, and made available to all sub-domains.
  • No 3rd party cookies are saved or sent. This may prevent some sites from working correctly.

In short, there is a strict cookie policy in place that ensures that cookies are correctly sandboxed, and that no 3rd party cookies are saved or sent.

However, it should be noted that there are several techniques for storing unique identifiers, such as evercookie AKA supercookies. Thus, the strongest protection this app provides is the blocking of 3rd party requests, which is why it is important to pick services that use the least amount of 3rd party requests, and try to unblock as few of them as possible. In particular, CDNs and other common 3rd party services such as CloudFlare, JQuery, Google Fonts, Google Analytics, etc. should be blocked as much as possible.

Referer

Referer information is not send on any request (as per default behaviour of Webview), which may lead to problems on some sites, but improves privacy.

Storage

Plugins, and local file access are disabled, however DOM/local storage and app caching is allowed. There is only one cache for all sandboxes to share, so this is potentially a way to leak information between sandboxes.

Location

Since WebApps v3.0, location access has been enabled. WebApps will prompt for location access per web app, the first time the app requests your location. You can then permanently allow or deny location access, with an option to reset the app should you change your mind.

Privacy warnings

WebApps sandboxing is not perfect:

  • WebApps relies on Android System WebView (or Bromite if you have that installed) which may or may not make additional requests, send out identifying headers, implement FLoC or similar, etc.
  • Evercookie/supercookies can leak information between sandboxes
  • Browser fingerprinting can be used to identify our browser across domains
  • The shared cache can be abused to leak information between sandboxes
  • CNAME cloaking (see https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a) can be used to bypass 3rd-party content blocking, and is being increasingly used across the web

There are probably many more ways to leak identifying data across sites that I am not aware of.

Credits:

Development

Libraries

This project makes use of the following libraries/tools:

NOTE: There are many inter-dependencies between the various library versions, Gradle versions, Gradle plugin versions, Android SDK versions, and the JDK version (which has to be JDK 8 for Android)! Simply upgrading any one of these components is likely to cause a build failure, and this will not be easy to resolve.

Build and run

To run a debug build of this project:

  • Clone or download the git repository to your local machine (git clone [email protected]:tobykurien/WebApps.git)
  • Run ./debug.sh to build a debug APK and upload it to a connected device.

VSCode

The easiest (although not the nicest) way to make changes to this app is to use VSCode and an Xtend plugin. While you get basic syntax highlighting, you will get no code completion/intellisense/code navigation/Java docs/etc. It is a basic text editor. On the plus side, setup is very easy, and it is light on RAM (can work on a machine with only 4Gb RAM).

You can run ./debug.sh after a code change to compile and run the app on an attached device. This is how this project is currently being maintained.

Eclipse

Eclipse is the best development environment for this project, because it makes use of Xtend lang that is only supported in Eclipse. In order to develop in Eclipse:

  • UPDATE: due to this issue the Gradle android eclipse plugin had to be removed from the repo, so you will need to manually compile that gradle plugin with JDK8 and add it to the app/build.gradle file to continue. Alternatively, copy the compiled version from here and apply the plugin as in build.gradle. This plugin is needed to set up Eclipse to work with Android AAR dependencies.
  • Install the Xtend plugin for Eclipse
  • Clone the git repository to your local machine (git clone ...)
  • Inside the checked-out folder, run: ./gradlew eclipse. This will download all the required 3rd party libraries and create the Eclipse classpath and project files
  • Open Eclipse and import the project in the app folder using File -> Import -> Gradle -> Existing Gradle Project (not as a generic project)
  • Right-click the "app" project -> Properties -> Add Variable -> Cionfigure Variables -> New
    • add a new variable called ANDROID_HOME and point it to the location of your android SDK installation
    • Apply and Close, and do a full re-build
  • The project should now compile in Eclipse

Android Studio

Development in Android Studio is not supported any longer, as the Xtend plugin for IntelliJ (https://plugins.jetbrains.com/plugin/8073-xtend-support) is not maintained.

More Repositories

1

rpi_lcars

Star Trek LCARS interface for Raspberry Pi using Pygame
Python
646
star
2

Xtendroid

Xtendroid is a DSL (domain-specific language) for Android that greatly reduces boilerplate code while providing great tooling support
Xtend
242
star
3

SherlockNavigationDrawer

Modification of the Android NavigationDrawer sample to use ActionbarSherlock so that we can use the NavigationDrawer on older devices
Java
127
star
4

NSA_b_gone

A Linux shell script to improve your privacy online
Shell
83
star
5

WebMediaShare

DEPRECATED ⛔️ A fork of WebApps to allow sharing media from websites for the purpose of casting/sharing/downloading
Xtend
68
star
6

BatteryFu

BatteryFu (pronounced Battery-Foo, like in Kung-Fu) is an Android app that extends battery life (and lowers data usage) by changing always-on mobile/wifi data to periodic sync (meaning it disables your mobile data and/or Wifi, then checks your accounts every X minutes).
Java
68
star
7

GoogleApps

DEPRECATED ⛔️ An Android app to sandbox Google websites from your default browser, for privacy
Java
44
star
8

pi-tracking-telescope

An optical tracking telescope using OpenCV, Raspberry Pi, Arduino, and 3D printed parts
Python
40
star
9

MakerDroid

3D modelling and printing Android app! It allows the user to draw a shape on the device and have it printed out on a 3D printer
Python
21
star
10

Sparkler

Sparkler is an attempt to bring developer-friendliness to Java web development by using Rails/Sinatra-style Java libraries/frameworks together with Xtend to provide syntactic sugar and other fun language features (like extension methods and lambdas).
Xtend
21
star
11

rpi_tablet_os

Customization of Raspberry Pi OS for tablet use
Shell
10
star
12

baasbox_admin

An HTML 5 web component that can be used to create admin tools for BaasBox documents
HTML
7
star
13

ScriptDroid

Mobile development is too hard, especially for new developers! This project is an experiment to see how much we can simplify it for new developers, based on some of the work done in QML. It is targetted at Android and uses BeanShell Script to demonstrate some of the ideas.
Java
6
star
14

XtendApp

A skeleton Xtend app with gradle and Android Studio integration
Xtend
5
star
15

DroidOrb

Extensible, open source Android accessory
Java
4
star
16

MxitRuby

A skeleton Mxit app written in Ruby. A good starting point for your own Ruby app.
Ruby
4
star
17

android-groovy-support

A support library to leverage Android development using Groovy
Groovy
4
star
18

micropub-to-markdown

IndieWeb scripts for publishing using micropub to a static-site generator like Pelican
PHP
4
star
19

Android101

Android source material from Android 101 training
Java
3
star
20

Economics

Simulations of economics concepts using Ruby
Ruby
3
star
21

vCardImporter

Simple Firefox OS app to import contacts exported from ownCloud in vCard 3.0 format
JavaScript
2
star
22

OPHW-EL-BlueWatch

OPHW BlueMote Watch
Java
2
star
23

AndroidIntro

Code and presentation for Android Intro talk
JavaScript
1
star
24

libgdx-utils

Collection of libgdx notes and utility classes
Xtend
1
star
25

Ruby101

Introductory course to Ruby
Ruby
1
star
26

jozijs-2020

Building web apps in plain JavaScript https://www.meetup.com/Jozi-JS/events/271620720/
JavaScript
1
star
27

aircore

An Arduino sketch to drive the tachometer of a Jeep using an ignition coil pickup from the engine.
C++
1
star
28

tobykurien.github.io

CSS
1
star
29

transference

Game entry for Global Game Jam 2014
Java
1
star
30

webapp_skeleton

A minimal web application skeleton using web components and a simple router.
JavaScript
1
star
31

JoziJug

Demo app for Jozi JUG
Java
1
star