The WebView security issue of Android 4.3 and earlier versions of Android has recently come up into light and there were also statements from Google that they have no intentions of providing any security patches for these versions of Android. This brought disappointment to almost 1 billion Android users who use these previous versions of Android, till today, as this would mean Google is leaving all of them to be vulnerable to security threats.
WebView is the core component of Android which is used to render webpages in the apps, thereby, eliminating the necessity of implementing webpages in a full browser. This was based on Webkit, which was replaced bu Chromium-based WebView which was introduced with Kitkat, which allows Android device manufacturer companies (OEMs) to deliver updates of WebView to the user. Further with the latest Lollipop OS, Google delivers these updates directly to the users via Google Play, without any kind of involvement from the OEMs.
So, this makes Android 4.3 and previous versions of Android vulnerable to security issues related to the WebView component.
Google previously also stated that it would welcome developers to provide security patches to the AOSP, but they would not develop them. Recently, Google’s engineer Adrian Ludwig officially gave a response through Google+ as to why Google has stated that it could not be providing patchwork for this WebView issue. He says,
“Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely. With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.”
So to escape from these issues, basically what Google suggests the consumers to do is update their devices to Android 4.4 or higher , and if the respective OEMs aren’t supporting with the updates, they need to get a new device that supports the latest version of Android.
On the other hand, Adrin Ludwig also gives some suggestions on how one can reduce the risk of this WebKit vulnerabilities. He suggests users to use a browser such as Chrome or Firefox which is regularly updated through Google Play (Chrome supports Android 4.0 and higher whereas Firefox supports Android 2.3 and higher), as using an updated browser can prevent the users from currently known security issues and it also could protect the users from any future security threats, as these browsers would be updated regularly.
He also suggests developers to take steps such that only trusted content is displayed through WebView in their apps and also to consider providing their own renderer so that they could keep it up to date with the latest security patches.
What do you think of this response from Google on not providing security patches for WebView issues? Let us know in the comments!
Knowledge improves by mutual sharing of information. So share it.