WLWebview Kiosk

Security

Authentication, launcher, lock task mode/pinning, device owner, DPC and managed configurations

1. Settings Authentication Session

The settings page is locked using the device's biometrics or credentials (if set).

Once unlocked, it will not prompt for login for the next 5 minutes. This persisting session duration reset each time a settings page is accessed.

When the device is locked, or the app is exited or placed in the background, the authentication session will be revoked.

2. Default Launcher

By setting Webview Kiosk as the default launcher (home screen) app, any attempts to leave the app will simply re-open it.

To do this, use the Launcher option in Setting Actions.

3. App Pinning / Lock Task Mode

3.1. User-owned Devices

On regular user-owned devices, to improve security, enable Ask for PIN/pattern/password before unpinning in your device settings.

On some devices, it may be shown as Lock device when unpinning or equivalent.

This setting is accessible by first finding App Pinning, then clicking into the item (instead of the toggle/switch) to see additional options.

This will ensure that users cannot unpin (and thus unlock) the kiosk view without the device first locking itself and requiring your biometrics or credentials.

For more on Android App Pinning, visit the following resources:

  1. Google Official Documentation
  2. Samsung Guide for Unpin Lock

3.2. Device Owner

When set as the device owner, Webview Kiosk automatically adds itself to the allowlist for lock task packages.

This has the benefits of:

  1. removing warnings and instructions when you "lock" the app (as it is no longer "screen pinning" like in user-owned devices)
  2. stopping users from triggering the "unpin" action using gestures or holding the back and overview button, thus removing the side-effect of the device getting locked when users attempt to "unpin"

In this mode, the only way to unlock Webview Kiosk would be using a methods provided in-app, which are always configurable and can be disabled. The supported methods are currently:

  1. Opening the Kiosk Control Panel by tapping the screen 10 times in quick-succession (the default region is the top-left quadrant of your screen), then clicking Unlock
  2. Adding a custom unlock shortcut (requires a physical keyboard or a method of that sending key combinations, e.g. CTRL+1)

You can set or remove Webview Kiosk as the device owner using Android Debug Bridge (ADB) on a PC.

# Set Webview Kiosk as Device Owner
adb shell dpm set-device-owner uk.nktnet.webviewkiosk/.WebviewKioskAdminReceiver

# Set Webview Kiosk as Device Owner
adb shell dpm remove-active-admin uk.nktnet.webviewkiosk/.WebviewKioskAdminReceiver

Alternatively, you can use shizuku and termux to obtain direct ADB access on your android device (thus skipping the PC requirement).

Refer to GitHub Discussion #33 for a video demonstration.

3.3. Device Policy Controller

If you have control over your Device Policy Controller (DPC), or your MDM/EMM has provided an interface to do so, you can simply add Webview Kiosk to the allowlist of apps for lock task packages.

For example, using Google's sample Test DPC application available on the Play Store, GitHub and IzzyOnDroid. Simply go to Lock Task -> Manage lock task list and enable Webview Kiosk.

Alternatively, if you are writing your own DPC, the kotlin code to achieve this would be:

val APP_PACKAGES = arrayOf(
  // Choose one depending on your installation method:
  "uk.nktnet.webviewkiosk",   // GitHub, F-Droid, IzzyOnDroid, etc
  "com.nktnet.webview_kiosk", // Aurora Store, Google Play Store
)

val dpm = context.getSystemService(Context.DEVICE_POLICY_SERVICE) as DevicePolicyManager
val adminName = getComponentName(context)
dpm.setLockTaskPackages(adminName, APP_PACKAGES)

For more information, see Android's official documentation.

4. Managed App Configurations

For fully managed (company-owned) devices, you can use managed configurations to restrict and remotely modify Webview Kiosk settings through your MDM/EMM.

It is also possible to set app restrictions using the Test DPC application mentioned previously.

For a list of available app restrictions, refer to ./app/src/main/res/xml/app_restrictions.xml.

Below are instructions for a few popular MDM/EMM providers:

Managed configuration APIs can only be used by certified EMM providers. For example, Headwind MDM does not support this feature.

Installation

How to download Webview Kiosk to your Android device.

Setting Actions

Backups, launcher, device settings, help

On this page

1. Settings Authentication Session
2. Default Launcher
3. App Pinning / Lock Task Mode
3.1. User-owned Devices
3.2. Device Owner
3.3. Device Policy Controller
4. Managed App Configurations