Google is finalizing a major change in the way it Android protects users who browse with ChromeThe system will include an option to completely disable the WebGPU API when the so-called Advanced Protection mode, a configuration designed for those who need extra security against sophisticated attacks.
This new feature, discovered in the internal code of Google Play services, would allow web pages lose direct access to the mobile's graphics processor. when the user prioritizes security over performance. The move fits with the company's trend to reinforce the protective layers of the browser, especially in a European context where privacy and cybersecurity are increasingly monitored by regulators and users.
What is WebGPU and why has it become a security problem?
WebGPU is a relatively recent API that allows browsers communicate very directly with the graphics processing unit (GPU) of the device. It was created as a replacement for WebGL with the idea of ​​offering more complex graphics, heavy calculations and much smoother web experiences directly from the browser, without the need for installed apps.
In practice, this technology is used to rendering 3D environments, advanced simulations, or design tools that run from a Chrome tab. Since version 121 of the browser, WebGPU has been enabled by default on Android in most modern phones with Android 12 or higher and compatible hardware from Qualcomm or ARM, which covers a large part of the device market in Spain and the rest of Europe.
The problem is that such deep access to the hardware also opens the door for the API to be exploited maliciously. Cybersecurity researchers have demonstrated that WebGPU can be used to execute remote code from a web pageThat is, an attacker can send instructions to the device simply by making the victim visit a specially prepared site.
Although Google fix these holes as soon as experts report them, There is always a window of time Between the discovery of a vulnerability and the distribution of a patch, that small window of time is more than enough reason for high-risk users to limit or block the use of technologies with such powerful hardware access.
This is how Advanced Protection mode works in Android 16
Android 16 will include an enhanced security profile known as Advanced Protection mode, which acts as a major switch: when activated, the system suddenly activates its strictest defensesThe idea is that the user doesn't have to go through each option individually, but rather has a single setting prepared for the most delicate scenarios.
This mode is especially geared towards groups with greater exposure to cyberattacks, such as journalists, activists, public officials or managersHowever, anyone concerned about their privacy could benefit. The measures it implements include restrictions on installing apps from outside Google Play, extra protection against unsafe websites, and the ability to block connections to 2G networks, which are considered less secure.
Within this set of advanced settings, Google has begun testing a new option that would allow Disabling WebGPU specifically in ChromeThe text found in the system services code refers to a setting with the description "Disable WebGPU to protect against security threats," clearly linked to this hardened mode.
In addition, Advanced Protection mode incorporates other important changes, such as blocking the AccessibilityService API for applications that are not certified accessibility tools. close off potential attack vectors which, although useful in everyday life, can also be exploited by malicious software to take control of the device.
What Android Authority has discovered about Google Play Services
The clue about this new setting didn't come from an official announcement, but from a technical analysis. The specialized website Android Authority reviewed the contents of Google Play Services v26.10.31, a version still in development, and has found direct references to the future option to disable WebGPU in Chrome within Advanced Protection mode.
By manually enabling hidden strings, researchers were able to view the internal configuration text and verify that the system would offer the user a switch to block websites from accessing the GPUIn practice, this means that Chrome would stop exposing WebGPU when the hardened profile is active, thus reducing the attack surface available for potential graphics card-based exploits.
It should be noted that, for now, This feature does not appear in the visible Android settings Nor is it in the stable version of Chrome. This is test code that could change significantly or even disappear before Android 16 is released to the general public in Europe and other markets.
These kinds of findings within Google Play Services, however, provide a fairly clear idea of ​​the direction Google is taking in terms of security: strengthen high-risk profiles and offer more aggressive protection tools that involve sacrifices in user experience.
Balance between graphics performance and user safety
The decision to link WebGPU to Advanced Protection mode has much to do with the classic dilemma between performance and security. On the one hand, this API offers notable improvements in fluidity and graphics capabilities for modern websites, cloud gaming, productivity tools, or complex visualizations that are increasingly used in European professional environments as well.
On the other hand, keeping that access point to the hardware open means that any error or vulnerability becomes a potentially serious problem. With the new option, Google seems to be opting for a more flexible model: WebGPU will remain available by default. for most users, but those who prioritize protection can turn it off with a single tap by activating the reinforced profile.
This approach has a clear cost. If the user decides to disable WebGPU, some websites They will load more slowly or lose some of their advanced visual effectsCertain web applications based on 3D graphics, intensive data processing, or interactive experiences may stop working as smoothly or may not offer all of their features.
In return, Android reduces the ability of a malicious website to use the GPU as a gateway to remote code execution. In a context where attacks targeting journalists, activists, and public officials are becoming increasingly sophisticated, to forgo some graphical spectacle It may be an affordable price for those who move daily in risky scenarios.
This measure is in addition to the frequent security updates that Chrome receives, which are silently distributed through Google Play in Europe and the rest of the world. The browser already receives security patches fairly regularly, but blocking WebGPU in hardened mode adds an additional barrier in deep layers of the system.
Impact on Android users in Spain and Europe
In markets like Spain and the European Union as a whole, where there is a strong sensitivity towards data protection and privacyThis type of option fits well with the expectations of many users. Although the change will be applied globally, Concern about targeted cyberattacks And the use of browser vulnerabilities for espionage is especially visible in the European environment.
For the average user, the change will be barely noticeable, as WebGPU will remain enabled by default in Chrome and will only be disabled when Advanced Protection mode is selected. However, users who handle sensitive information or frequently travel to countries with increased digital surveillance will likely notice the difference. They will be able to rely on this new shield as part of their security strategy.
In European organizations, from media outlets to NGOs and public entities, these types of tools make it easier for IT departments to make recommendations standard security configurations For corporate Android mobile devices. A simple adjustment allows you to reduce the risk associated with intensive web use without needing to train employees in the technical details of APIs and graphics engines.
Although everything is currently in the realm of code under development, the presence of this option in Google Play Services suggests that Google The threat posed by WebGPU is taken seriously. in the hands of attackers. If the test is successful, it's reasonable to expect that the new protection will also be available for devices sold in Spain and the rest of Europe running Android 16 or later.
It remains to be seen, however, whether the company decides to extend this philosophy to other high-risk APIs, such as certain advanced sensor functions or access to internal system components. What already seems clear is that the company wants to provide greater protection for users with the highest risk. so they don't have to choose between sailing and being safebut rather to have a mode that minimizes weaknesses, even if it means giving up some comforts.
With this step, Android and Chrome are further strengthening their security strategy: the browser will continue to offer advanced graphics capabilities thanks to WebGPU for most users, but those who activate Advanced Protection mode in Android 16 will be able to completely block websites' access to the GPU, reducing the possibility of remote code execution and reinforcing an ecosystem where, little by little, Safety is just as important as performance.
