Two weeks ago, Rapid 7 researchers discovered that Google will no longer be providing security patches for WebView used in pre-KitKat (v4.4) Android versions, meaning that over 60 percent of all Android users will be placed in danger by every new bug affecting the core component that displays web pages on an Android device without the user needing to open another app.
Google will still welcome patches made by third parties for consideration and eventual delivery to OEMs, the company said.
Adrian Ludwig, lead engineer for Android security at Google, has recently taken upon himself to explain the reasoning behind this unpopular company decision.
“WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely,” he explained.
Android KitKat and Lollipop sport a newer, Chromium-based version of WebView.
“With Google’s assistance, Android device manufacturers (OEMs) have been moving rapidly to improve the rate that devices are updated and to ship devices with the most recent versions of Android,” Ludwig pointed out.
“Improving WebView and browser security is one of the areas where we’ve made the greatest progress. Android 4.4 (KitKat) allows OEMs to quickly deliver binary updates of WebView provided by Google, and in Android 5.0 (Lollipop), Google delivers these updates directly via Google Play, so OEMs won’t need to do anything.”
Nevertheless, there are users that can’t or won’t update to one of these two latest Android versions, and to them he advises using a browser that provides its own content renderer and is regularly updated, such as Chrome or Firefox.
He also advised application developers to help keep users safe by making sure that “only trusted content (e.g. loaded from a local source or over HTTPS) is displayed within WebViews in their application,” and urged them to consider providing their own renderer on Android 4.3 and earlier.