WLWebview Kiosk

Security

Authentication, launcher, lock task mode/pinning, device owner, DPC and managed configurations

1. Settings Authentication Session

The settings page is locked using the device's biometrics or credentials (if set).

Once unlocked, it will not prompt for login for the next 5 minutes. This persisting session duration reset each time a settings page is accessed.

When the device is locked, or the app is exited or placed in the background, the authentication session will be revoked.

2. Default Launcher

By setting Webview Kiosk as the default launcher (home screen) app, any attempts to leave the app will simply re-open it.

To do this, use the Launcher option in Setting Actions.

3. App Pinning / Lock Task Mode

3.1. User-owned Devices

On regular user-owned devices, to improve security, enable Ask for PIN/pattern/password before unpinning in your device settings.

On some devices, it may be shown as Lock device when unpinning or equivalent.

This setting is accessible by first finding App Pinning, then clicking into the item (instead of the toggle/switch) to see additional options.

This will ensure that users cannot unpin (and thus unlock) the kiosk view without the device first locking itself and requiring your biometrics or credentials.

For more on Android App Pinning, visit the following resources:

  1. Google Official Documentation
  2. Samsung Guide for Unpin Lock

3.2. Device Policy Controller

If you have access to your Device Policy Controller (DPC), or your MDM/EMM has provided an interface to do so, it is recommended that you add Webview Kiosk to the allowlist of apps for lock task packages.

This has the benefits of:

  1. removing warnings and instructions when you "lock" the app (as it is no longer "screen pinning" like in user-owned devices)
  2. stopping users from triggering the "unpin" action using gestures or holding the back and overview button, thus removing the side-effect of the device getting locked when users attempt to "unpin"

In Lock Task Mode, the only way to unlock Webview Kiosk would be using a methods provided in-app, which are always configurable and can be disabled. The supported methods are currently:

  1. Opening the Kiosk Control Panel by either
    • holding the back button
    • tapping the screen 10 times in quick succession at your configured region (e.g. Top Left quadrant)
  2. Adding a custom unlock shortcut (requires a physical keyboard or a method of that sending key combinations, e.g. CTRL+1)

There are also standalone applications that, when set as the device owner, can perform the duties of a DPC. Below are instructions for two common solutions:

  1. Google's Test DPC

    • Go to Lock Task -> Manage lock task list and enable Webview Kiosk.

  2. OwnDroid

    • Go to System -> Lock Task Mode -> Applications and add Webview Kiosk's package name, which you can find in the Settings -> About screen.

Finally, if you are writing your own DPC, the kotlin code to achieve this would be:

val APP_PACKAGES = arrayOf(
  // Choose one depending on your installation method:
  "uk.nktnet.webviewkiosk",   // GitHub, F-Droid, IzzyOnDroid, etc
  "com.nktnet.webview_kiosk", // Aurora Store, Google Play Store
)

val dpm = context.getSystemService(Context.DEVICE_POLICY_SERVICE) as DevicePolicyManager
val adminName = getComponentName(context)
dpm.setLockTaskPackages(adminName, APP_PACKAGES)

For more information, see Android's official documentation.

3.3. Device Owner Mode

When set as the device owner, Webview Kiosk can act as a DPC and automatically adds itself to the allowlist for lock task packages.

You can set or remove Webview Kiosk as the device owner using Android Debug Bridge (ADB) on a PC.

# Set Webview Kiosk as Device Owner
adb shell dpm set-device-owner uk.nktnet.webviewkiosk/.WebviewKioskAdminReceiver

# Set Webview Kiosk as Device Owner
adb shell dpm remove-active-admin uk.nktnet.webviewkiosk/.WebviewKioskAdminReceiver

Alternatively, you can use Shizuku and Termux to obtain direct ADB access on your android device (thus skipping the PC requirement). Refer to GitHub Discussion #33 for a video demonstration.

Webview Kiosk also supports Dhizuku, a tool that can share device owner permissions. If Dhizuku is installed, you will be prompted to grant permission when the app launches. Please note that Dhizuku will need to be set as the device owner as per the official instructions.

4. Managed App Configurations

For fully managed (company-owned) devices, you can use managed configurations to restrict and remotely modify Webview Kiosk settings through your MDM/EMM.

It is also possible to set app restrictions using OwnDroid or Test DPC.

For a list of available app restrictions, refer to ./app/src/main/res/xml/app_restrictions.xml.

Below are instructions for a few popular MDM/EMM providers:

Installation

How to download Webview Kiosk to your Android device.

Setting Actions

Backups, launcher, device settings, help

On this page

1. Settings Authentication Session
2. Default Launcher
3. App Pinning / Lock Task Mode
3.1. User-owned Devices
3.2. Device Policy Controller
3.3. Device Owner Mode
4. Managed App Configurations