Google is killing off its proposal for “Web Environment Integrity API” as a brand new internet customary, although Android telephones should must cope with it. According to Google’s proposal doc, the first aim of the mission was to “enable internet servers to judge the authenticity of the system and sincere illustration of the software program stack”—principally Google wished a DRM gatekeeper for the net. The mission obtained widespread protection in July and was extensively panned.
The ominously obscure plan was to permit internet browsers to detect in case your laptop was “modified” in a approach that the webpage did not like. Presumably, this could be something from a rooted/jailbroken cellphone to having an undesirable plug-in (learn: advert blockers) put in. When you tried to entry some protected content material, a browser supporting the Web Integrity API would first contact a third-party “surroundings attestation” server, and your laptop must go some form of check. After having your native surroundings uh… scanned? passing environments obtain a signed “IntegrityToken” that factors to the content material you wished unlocked. You would deliver this again to the net server and would lastly get the content material unlocked.
Google’s proposal didn’t go over effectively. The explainer was filled with conflicting details about simply how invasive it wished to be and what its targets have been. Google pinky-promised it wasn’t meant to “implement or intrude with browser performance, together with plugins and extensions”—it is a obscure reference to advert blockers—but additionally the proposal’s very first instance needed to do with extra precisely measuring advert impressions. Even extra alarming was that this wasn’t a dialogue—Google by no means publicized the characteristic for any form of suggestions, and the corporate was already actively prototyping the characteristic in Chrome earlier than the Internet actually discovered about it.
On the Android Developer Blog, oddly, Google has formally introduced the dying of the proposed internet customary. The firm says: “We’ve heard your suggestions, and the Web Environment Integrity proposal is now not being thought of by the Chrome crew.” I consider that is the primary time Web Integrity has ever been talked about in a Google weblog put up, however hooray! It’s lifeless. On to the subsequent drawback:
Pivot to Android, guaranteeing YouTube Vanced doesn’t rise from the grave?
The mission is not completely lifeless, although. Google has now pivoted to “an experimental Android WebView Media Integrity API [emphasis ours].” Unlike the net model, which might have been an enormous step “ahead” for invasive DRM options, Android already has surroundings attestation, so it does not sound like that is doing that a lot. Google stated the inspiration for the unique Web Integrity mission was Android’s Play Integrity API, which already scans your cellphone for root privileges and denies entry to issues like video games, media, and banking apps. Google now desires to have the ability to do this by way of embedded Android WebViews (internet content material displayed in apps), claiming that “media content material suppliers” can be concerned with such a factor.
If you’re Spotify or YouTube, you could already block modified units on the app degree earlier than the embedded WebView even boots up, by way of the Play Integrity API. Google additionally has a preinstalled unremovable Android DRM referred to as “Widevine” made particularly for media playback. Netflix famously calls for preinstallation of Widevine on units so as to present HD content material, and issues with the DRM are a typical help challenge.
Google clearly sees that this proposal is disliked, so its pivot to an Android WebView part suggests it has some particular inner want for locking down WebViews with DRM. Google is so suspiciously obscure about these tasks, although, that it is arduous to know what precisely the corporate’s intent is. The weblog put up notes that whereas Android’s WebView system brings “a number of flexibility… it may be used as a way for fraud and abuse, as a result of it permits app builders to entry internet content material, and intercept or modify consumer interactions with it. While this has its advantages when apps embed their very own internet content material, it doesn’t prohibit dangerous actors from modifying content material and, by proxy, misrepresenting its supply.”
Other than the same old malware boogeymen, that sounds loads just like the use case of YouTube Vanced, a (now lifeless) modified YouTube Android app. Vanced used a WebView and tricked YouTube into enjoying ad-free movies and unlocked YouTube Premium options like background playback. Because Vanced was simply an app, it did not require root and wasn’t stopped by the Play Integrity API. Allowing YouTube to succeed in into your cellphone by way of the WebView feels like one thing that could shut down these “various” clients, although. Google has turn into more and more hostile towards advert blockers lately, and whereas the Google authorized division already killed YouTube Vanced with a cease-and-desist letter in 2022, having the technical division put a stake by way of the center of modified clients feels like the subsequent believable step.