Public Wi-Fi networks are everywhere these days, and thanks to the proliferation of technologies like HSTS and HTTPS, they’re generally considered safe to use even without the use of a VPN. Unfortunately, some public Wi-Fi networks are quite inconvenient to use, as they might ask you to log in using a social network account or share some of your personal data. This wouldn’t be too much of a problem if the Captive Portal—the web page that appears when you connect to public Wi-Fi—had access to your autofill data, but it doesn’t. However, that could soon change.

The reason captive portals don’t have access to your autofill data is because they’re open in Android WebView system the application. Android WebView, or WebView for short, is the system component that allows apps to display web-based content without taking you out of the app. Although it is based on the same open source code as Google Chrome and several others the best android browsersit does not share autocomplete or session data with them. Consequently, when a captive portal asks you to log in to a social network account or enter your personal data, you have to fill in all these details from scratch.

However, if captive portals were opened in an Android custom tab, then they would have access to your autocomplete or session data, as custom tabs are simply instances of the default web browser. Android Custom Tabs have been around for a long time, though you may know them by their previous name Chrome Custom Tabs from when the feature was only supported by Google Chrome. While custom tabs aren’t fully rendered in the app like WebViews are, they do have access to your browsing session, saved passwords, payment methods, and addresses, not to mention other features not supported by the app WebView of the Android system, compared to the basic one. . This makes custom tabs ideal for captive portals, as they can help you enter information faster and thus connect to the network faster.

Fortunately, Google is now preparing for Android to open these Captive Portal pages in an Android custom tab instead of WebView. A set of labeled patches captive_portal_cct which adds support for custom tabs to Captive Portal Login — the system application that contains the logic for managing Captive Portal pages — was merged a few months ago. Patches add preliminary support for this feature, introducing code to open captive portals in an Android custom tab, as well as grouping androidx.browser library required for custom tab support. However, the implementation is currently disabled by default and protected with a feature flag, so it is not yet enabled.

Captive portal login is part of a The main line of the project mode that is available on all devices running Android 10 or later (Network Stack), which means that Google can send updates to it through Play System Updates. Indeed, the latest public version of Captive Portal Login already contains the code that Google merged with AOSP in August, but the feature is still disabled by default at this time. I don’t know when Google plans to release this feature, but it may take some time since the additional fixes related to the custom tab that were merged with AOSP in September have not yet reached the Captive Portal Login app on devices.

While I think opening captive portals in Android custom tabs will improve the convenience of accessing public Wi-Fi, I don’t suspect it will really lead to significant security improvements. For example, I don’t see how this change will affect the effectiveness of evil twin attacks, which is when attackers create a fake public Wi-Fi access point with a malicious captive portal designed to steal your credentials. Of course, if a fake captive portal asked you for social authentication and you recognized something was wrong when your web browser didn’t auto-fill the data or auto-authenticate using the saved cookie, you could avoid this type of attack. However, I believe few users would recognize this scenario, meaning there would be little difference between the two implementations in terms of overall security.

Even though this change doesn’t really improve security, I don’t see any major downsides other than slightly increasing the size of the Captive Portal Login app. Hopefully it will be released soon, so connecting to some public Wi-Fi networks will be a little less painful.