How to avoid WebView trouble on older Android devices

Google has stopped providing pre-KitKat patches for Android's built-in Web browser, but that doesn't mean you're left wide open to attacks.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Almost a billion users are still running Android 4.3, Jelly Bean, or earlier, but Google will no longer be developing security patches for Android's built-in Web browser WebView. Fortunately, that doesn't mean you have to stay at risk for hacker attacks.

Why has Google stopped doing this? Tod Beardsley, a security researcher at Rapid7, described Google's move as "bizarre ... eyebrow-raising news."

Google, Beardsley added, had told Rapid7 that "If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue ... If patches are provided with the report or put into AOSP [Android Open Source Project] we are happy to provide them to partners as well."

Sources at Google told me when a vulnerability is discovered, the company provides quick security updates for Nexus devices, ensures that future releases of Android are protected, and then works with OEMs to communicate when older versions of Android require updates.

Another Google source added that patches for older versions of Android must go through the OEMs and carriers, who often fail to deliver these patches to their customers. So, while Google was making the patches, they weren't getting to end-users anyway.

Or, as Alex Dobie, managing editor for Android Central, put it in a tweet, "Google fixed the Jelly Bean webview issue over a year ago. The patch is called Android 4.4 KitKat."

Unfortunately, neither OEMs nor carriers deliver new versions to older smartphones or tablets on any kind of regular basis. Unlike Windows, where Microsoft delivers patches directly to end-users, ordinary Android users are stuck with whatever updates or patches their phone makers or phone companies will dole out to them.

Further complicating the matter is that prior to the release of KitKat, WebView was based on the open-source Webkit Web browser engine. Google forked WebKit in 2013. So, in the next version of Android, KitKat, WebView uses Google's new Blink engine. Blink is also used by Chrome and Opera. In addition, with the introduction of Android 5.0, Lollipop, WebView was made a separate application rather than part of Android's firmware.

This means that, moving forward, end-users can update WebView. It also means that Jelly Bean and earlier Android versions are running an out-of-date, no longer supported Web browser engine; KitKat runs an up-to-date engine, but one which can only be updated with the operating system; and only Lollipop has been set so that WebView can be updated on its own.

But what can you do today? The drastic solution is to root your smartphone or tablet and replace its existing out-of-date version of Android with KitKat from a third-party vendor such as Cyanogenmod.

The best and easiest way, though, is simply to download another Web browser. Personally, I recommend Google's own Chrome, but Firefox or Opera also work well. Each one is automatically kept up-to-date and none of them rely on the old, potentially vulnerable WebView.

Or, you can just relax. As Chris Boyd, malware intelligence analyst at Malwarebytes, noted: "Despite the potential risk of exploits and drive-by attacks, the most likely method of attack where Android is concerned is still fake or rogue application installs - typically by sites asking the device owner to allow installs from 'unknown sources.' So, if you just avoid sites offering up free versions of popular apps and games and always read the reviews on the Play store then most people will be as safe as they can be."

Personally, I never look for apps outside the Google Play Store or the Amazon Appstore for Android. Even so, I'd still upgrade my Android Web browser. Better safe than sorry.

Related Stories:

Editorial standards