Recently, our Enterprise Solutions group was engaged by a customer/partner requiring a sample Android application to whitelist some specific websites, while blocking access to sites outside of the whitelist. Secure Browser is an Android application that only allows access to websites that an organization defines as being safe to visit.
We provided our enterprise partner with a simple prototype app to build upon, and wanted to share the experience since it can be of use to BlackBerry developers who are targeting the PRIV.
Requirements
The rules of the game (requirements) made by the partner:
- The user can only visit the sites that are mentioned as bookmarks.
- Bookmarks cannot be changed by the user.
- The user should be able to access subpages of whitelisted sites.
- The addition and deletion of new sites should be easy for the BES administrator.
- The user can enter the address in address bar but again the constraint should be applied on that also.
Let’s give it a thought. What do we need?
What comes to mind when considering how to implement the whitelist against the content being displayed? We will have a fixed number of domains that will be whitelisted.
Implementation
After a bit of thought, this turns out to be a simple problem to solve. We can use a data structure such as an ArrayList in the onCreate() method of the application, and populate this list from there. (Of course there are other data structures which you can use.)
Next, we’ll need to store the whitelisted domains. Remember from rule 4 above, that it should be very easy to add and remove the domains. To do so, we made an array of strings and store it in an XML file.
To implement the Browser aspect of the application itself, we used a standard WebView component provided by the Android framework. We also wanted to implement typical browser functionality such as going forward and going back to the previous pages visited. To implement the forward and backward functionality of the browser, we used the goForward() and goBack() call within the WebView class. We override the back key event to perform the goBack operation.
1 2 3 4 5 6 7 | public void onBackPressed() { if (myWebView.canGoBack()) { myWebView.goBack(); } else { super.onBackPressed(); } } |
For browser applications it’s also required to add the Internet permission to the Android Manifest file.
1 | <uses-permission android:name= "android.permission.INTERNET" /> |
Obstacles
There were some additional requirements that we came across while building the prototype as well. One in particular occurs when a search engine is being whitelisted. How can we prevent a user from opening pages that are returned within the search results?
For this we used the shouldOverrideUrlLoading callback that is present in WebViewClient class, as implemented below.
1 2 3 4 5 6 7 8 9 | public boolean shouldOverrideUrlLoading(WebView view, String url) { hideKeyboard(); if (allowedNav(url)) { view.loadUrl(url); return true ; } Toast.makeText(HomeActivity. this , R.string.not_allowed, Toast.LENGTH_SHORT).show(); return true ; } |
This is an effective approach for such a scenario. Take note that this method is not called for requests using the POST method.
Github Source Code
We’ve taken the liberty of open-sourcing the project as well! You can access source code here.
Good Enterprise Solutions
For enterprise customers interested in deploying a similar solution, our friends at Good Technology also offer a more sophisticated end-to-end solution to secure browsing. With our recent Good acquisition we have further augmented our portfolio of security solutions. One of these coveted solutions is Good Access.
Some of the salient features that it provides:
- Utilizes secure container for browsing.
- End-to-end encryption of data.
- Restricts other applications connectivity to your intranet.
- Policies for application passwords.
- No outbound firewall holes.
You can access more information here and complete documentation is available here.
The application is freely available at Google Play and Apple App Store.