Skip to main content

Exclusive: Web Environment Integrity (Currently) Limited to Android, Testing on Chrome and WebView

Both Chrome and WebView are undergoing Web Environment Integrity (WEI) integration tests, with Android being the only platform currently supported by Google’s recently proposed API, Techtsp is able to report and confirm.

As per the codebase we have examined, several developments are happening around WEI. One such development is adding a new storage capability on Android devices, designed to store key-pair identifiers "Environment Integrity Handles" (read attestations), along with calls to the Play Integrity Attester for Android.

These “Handles” are 64-bit integer identifiers used within the proposed system. They play a vital role in creating "Integrity Tokens" (read attestation tokens). These cryptographic tokens will be used to carry out integrity checks on web environments, as evidenced by the code we have seen.

Interestingly, attentions are being designed in such a way that they can be retrieved even after the browser is closed. Perhaps, Google views this as an important step in maintaining the so-called integrity of the web environment across sessions. Without persistence, the attestations (and by extension, the attestation tokens) would have to be regenerated every time a user opens or restarts their browser).

The implementation defines two classes—AndroidEnvironmentIntegrityService and AndroidEnvironmentIntegrityDataManager—responsible for handling the necessary identifiers for WEI.

The AndroidEnvironmentIntegrityService class includes methods for creating an instance of the service and retrieving the attestations. On the other hand, the AndroidEnvironmentIntegrityDataManager class interfaces with the storage system to manage these attestations.

The technical documentation seen by Techtsp further states:

“Implementations for Web Environment Integrity can vary from platform to platform. For example, on Android we must store key-pair identifiers called "handles" and make calls to the Play Integrity attester. On other platforms, the flow may be much different.

When adding WEI support for a platform, code that is specific to that platform should be placed in the appropriate platform-specific directory (e.g. /android). Code that can be used across platforms can be placed in a /common directory.

Currently Android is the only supported platform for WEI.”

As we already know, Google engineers intend to prototype Web Environment Integrity API. Generally, once an intent to prototype is approved, the developer can start working on the prototype, which is then made available to the public so that other developers can test it and provide feedback.

If the prototype is successful, the developer can then submit an Intent to Experiment to start an origin trial, a way for web developers to experiment with new web platform features before they are made available to everyone.

Google has since received a lot of pushback from developers and critics, with some expressing fears that the new technology could undermine open web standards and further monopolize Google’s already dominant hold on the web browser market. A Google engineer has also been criticized for “silencing” and “incriminating” critics for speaking against the proposal.

Developers from other web browsers like Vivaldi, Brave, and Firefox have opposed WEI, with some even comparing it to digital rights management (DRM) for websites.