Recently, our Enterprise Solutions group was engaged by a customer/partner requiring a sample Android application to whitelist some specific websites, while blocking access to sites outside of the whitelist. Secure Browser is an Android application that only allows access to websites that an organization defines as being safe to visit.
We provided our enterprise partner with a simple prototype app to build upon, and wanted to share the experience since it can be of use to BlackBerry developers who are targeting the PRIV.
The rules of the game (requirements) made by the partner:
- The user can only visit the sites that are mentioned as bookmarks.
- Bookmarks cannot be changed by the user.
- The user should be able to access subpages of whitelisted sites.
- The addition and deletion of new sites should be easy for the BES administrator.
- The user can enter the address in address bar but again the constraint should be applied on that also.
Let’s give it a thought. What do we need?
What comes to mind when considering how to implement the whitelist against the content being displayed? We will have a fixed number of domains that will be whitelisted.
After a bit of thought, this turns out to be a simple problem to solve. We can use a data structure such as an ArrayList in the onCreate() method of the application, and populate this list from there. (Of course there are other data structures which you can use.)
Next, we’ll need to store the whitelisted domains. Remember from rule 4 above, that it should be very easy to add and remove the domains. To do so, we made an array of strings and store it in an XML file.
To implement the Browser aspect of the application itself, we used a standard WebView component provided by the Android framework. We also wanted to implement typical browser functionality such as going forward and going back to the previous pages visited. To implement the forward and backward functionality of the browser, we used the goForward() and goBack() call within the WebView class. We override the back key event to perform the goBack operation.
For browser applications it’s also required to add the Internet permission to the Android Manifest file.
There were some additional requirements that we came across while building the prototype as well. One in particular occurs when a search engine is being whitelisted. How can we prevent a user from opening pages that are returned within the search results?
This is an effective approach for such a scenario. Take note that this method is not called for requests using the POST method.
Github Source Code
We’ve taken the liberty of open-sourcing the project as well! You can access source code here.
Good Enterprise Solutions
For enterprise customers interested in deploying a similar solution, our friends at Good Technology also offer a more sophisticated end-to-end solution to secure browsing. With our recent Good acquisition we have further augmented our portfolio of security solutions. One of these coveted solutions is Good Access.
Some of the salient features that it provides:
- Utilizes secure container for browsing.
- End-to-end encryption of data.
- Restricts other applications connectivity to your intranet.
- Policies for application passwords.
- No outbound firewall holes.