X
Tech

​Google: Why we won't patch pre-KitKat Android WebView

Google finally explains why it's wiping its hands clean of patches for flaws in WebView running on Android 4.3 and below - and what users should do to stay safe.
Written by Liam Tung, Contributing Writer

Google has finally explained why it's not going to develop its own patches for WebView for Android versions 4.3 and earlier, even though it could leave over 930 million Android devices exposed to attacks.

The company's decision was only discovered recently after researchers reported a new security bug in WebView to Google, only to be told that the company won't develop the patches for WebView in Android below 4.4 KitKat. While that's two generations of the OS back, 60 percent of Android users - roughly 930 million users - are still running Android 4.3 and below.

WebView is a component of Android used by developers to display web content in their apps and it was the foundation of its browser in all versions up to Android 4.3.

While Google's decision affected almost a billion Android users, the company had not detailed the reasons for a decision that could potentially put users at risk, nor has it provided any advice to consumers using older Android versions on to how to stay safe.

Ardian Ludwig, Google's lead engineer for Android security, on Friday revealed the decision was due to the complexity of applying patches to older branches of WebKit - the browser engine that was used in WebView and Chrome until Google forked WebKit into Blink for Chrome. (For a run down of WebKit, WebView, and Chrome in Android, read this summary by security researcher Joshua Drake).

"Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier," explained Ludwig. "But WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely."

Besides that, he added, "the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices."

Ludwig's security advice for the 60 percent of users still on Android 4.3 and below is to use browsers that are updated through Google Play or browsers that provide their own content renderer. He cites the examples of Chrome, which is supported on Android 4.0 and higher, and Firefox, which supports Android 2.3 and higher. In other words, don't use the native Android browser that shipped with Android 4.3 and below.

Also, developers that are using WebView "should confirm that only trusted content (eg loaded from a local source or over HTTPS) is displayed within WebViews in their application," he said.

According to ZDNet's sister site CNET, Ludwig's explanation is Google's current position on the matter.

Read more on Android

Editorial standards