After enabling ‘Site Isolation’ security feature in Chrome for desktops last year, Google has now finally introduced ‘the extra line of defence’ for Android smartphone users surfing the Internet over the Chrome web browser.
In brief, Site Isolation is a security feature that adds an additional boundary between websites by ensuring that pages from different sites end up in different sandboxed processes in the browser.
Since each site in the browser gets its own isolated process, in case of a browser flaw or Spectre like side-channel vulnerability, the feature makes it harder for attackers or malicious websites to access or steal cross-site data of your accounts on other websites.
Site Isolation helps protect many types of sensitive data, including authentication cookies, stored passwords, network data, stored permissions, as well as cross-origin messaging that help sites securely pass messages across domains.
The feature gained attention in January 2018, when it was in the experimental zone and two critical CPU vulnerabilities were discovered, called Spectre and Meltdown, that allowed malicious websites to launch speculative side-channel attacks directly from the browser.
“Even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker,” Google said. “This significantly reduces the threat posed by Spectre.”
Soon after that, in July 2018, Google decided to enable the Site Isolation feature in Chrome for desktops and promised to the extent the same for Chrome users on Android to help them defend against even fully compromised processes.
Performance Tradeoff: Chrome for Android Only Isolates Sites with Login
Today, the tech giant has finally announced the availability of this feature with the release of Chrome 77 for Android, which has now been enabled for 99% of users who are running Android devices with a sufficient amount of RAM i.e., at least 2GB, with a 1% holdback to monitor and improve performance.
Most importantly, it should be noted that unlike Chrome for desktops, the site isolation feature in Chrome for Android doesn’t sandbox all websites.
Instead, in an attempt to keep up with the device performance, the Site Isolation on Chrome 77 for Android has been re-designed to protect only high-value websites where users log in with passwords.
“We wanted to ensure that Site Isolation does not adversely affect user experience in a resource-constrained environment like Android,” Google said today in its latest blog post.
“This is why, unlike desktop platforms where we isolate all sites, Chrome on Android uses a slimmer form of Site Isolation, protecting fewer sites to keep overhead low. This protects sites with sensitive data that users likely care about, such as banks or shopping sites, while allowing process sharing among less critical sites.”
For example, when you visit a banking or e-commerce site within the Chrome browser on your Android phone and log in to your account, Chrome will observe a password interaction and automatically turn on the Site Isolation feature.
Eventually, the browser will render that site in its own dedicated renderer process, helping protect your sensitive information on that site from all other sites.
Moreover, Chrome will keep a list of your isolated sites stored locally on your device, which helps the browser to automatically turn on the feature whenever you revisit one of those sites.
However, if you want to forcefully enable this protection to isolate all websites without caring about the performance of your device, you can manually opt-in to full Site Isolation via chrome://flags/#enable-site-per-process setting page.