A dev recently discovered a browser built into the settings (for any google app that lets you edit settings). From there you can bypass parental controls or enterprise restrictions.
This is a pretty exciting “extra feature”, Google!
A dev recently discovered a browser built into the settings (for any google app that lets you edit settings). From there you can bypass parental controls or enterprise restrictions.
This is a pretty exciting “extra feature”, Google!
This isn’t a secret browser, it’s Android System Webview - the system browser apps use when they aren’t a browser.
What they’ve found here is a route to google.com from a webview page accessed from within the settings.
100% but I believe these are typically locked down to one domain, and in this case its not.
At least thats how I understand it. So I guess the article is a little misleading in that sense, but the net effect is the same. You have carte blanche access to the web, via android system webview, thats acting as a de-facto out-of-band browser. So its misconfigured or not locked down, which means you can use it effectively as a “hidden” browser.
ASW isn’t locked down to any domains though, it’s just a basic browser, one that typically doesn’t let you type in a url to go to any other domains. It’s not locked down, you’re just limited in how you can navigate.
What happened here is someone managed to navigate from one page to another page and then another, in order to ultimately get to google.com and search for whatever page they wanted. The initial web pages presented linked outside of what it maybe should have.
Whether ASW should be under parental controls is another matter. Apparently it isn’t (at least not parental controls that affect only installed browser apps) but that could have valid functional reasons behind it.
It’s even listed in the apps section in the settings app.
I think the
mm
object is the most worrying thing about this, not the fact that it’s a standard WebView.