Back in July, Google’s work on a Web Integrity API emerged, and many equated it to DRM. While prototyped, it was only at the proposal stage, and the company announced today it’s not going ahead with the proposed API.
With this proposal, Google wanted to give websites a way to confirm the authenticity of the user and their device/browser.
Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it.
The Web Integrity API would let websites “request a token that attests key facts about the environment their client code is running in.” It’s not all too different from the Play Integrity API (SafetyNet) on Android that Google Wallet and other banking apps use to make sure a device hasn’t been tampered with (rooted).
Example use cases offered by Google include:
- Detect social media manipulation and fake engagement.
- Detect non-human traffic in advertising to improve user experience and access to web content
- Detect phishing campaigns (e.g. webviews in malicious apps)
- Detect bulk hijacking attempts and bulk account creation.
- Detect large scale cheating in web based games with fake clients
- Detect compromised devices where user data would be at risk
- Detect account takeover attempts by identifying password guessing
People took issue with how the Web Integrity API would bring DRM to the open web. Google “heard your feedback” and said today that the “Web Environment Integrity proposal is no longer being considered by the Chrome team.”
However, it is piloting a new Android WebView Media Integrity API that’s “narrowly scoped, and only targets WebViews embedded in apps.”
It simply extends existing functionality on Android devices that have Google Mobile Services (GMS) and there are no plans to offer it beyond embedded media, such as streaming video and audio, or beyond Android WebViews.
In the context of media, WebViews can be used to embed streaming video and audio in Android apps with advanced configuration options and UI customization. However, it can be abused:
This brings a lot of flexibility, but it can be used as a means for fraud and abuse, because it allows app developers to access web content, and intercept or modify user interactions with it. While this has its benefits when apps embed their own web content, it does not prohibit bad actors from modifying content and, by proxy, misrepresenting its source.
The new Media Integrity API allows “embedded media providers access to a tailored integrity response that contains a device and app integrity verdict so that they can ensure their streams are running in a safe and trusted environment, regardless of which app store the embedding app was installed from.”
On the privacy front, no user or device identifiers are shared:
Unlike apps and games using Play Integrity API, media providers will not obtain the app’s Play licensing status and apps will also be able to exclude their package name from the verdict if they choose. Our goal for the API is to help sustain a thriving and diverse ecosystem of media content in Android apps, and we’re inviting media content providers to express interest in joining an early access program early next year.
FTC: We use income earning auto affiliate links. More.
Comments