Google, Beardsley added, had told Rapid7 that "If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue ... If patches are provided with the report or put into AOSP [Android Open Source Project] we are happy to provide them to partners as well."
Sources at Google told me when a vulnerability is discovered, the company provides quick security updates for Nexus devices, ensures that future releases of Android are protected, and then works with OEMs to communicate when older versions of Android require updates.
Another Google source added that patches for older versions of Android must go through the OEMs and carriers, who often fail to deliver these patches to their customers. So, while Google was making the patches, they weren't getting to end-users anyway.
Unfortunately, neither OEMs nor carriers deliver new versions to older smartphones or tablets on any kind of regular basis. Unlike Windows, where Microsoft delivers patches directly to end-users, ordinary Android users are stuck with whatever updates or patches their phone makers or phone companies will dole out to them.
This means that, moving forward, end-users can update WebView. It also means that Jelly Bean and earlier Android versions are running an out-of-date, no longer supported Web browser engine; KitKat runs an up-to-date engine, but one which can only be updated with the operating system; and only Lollipop has been set so that WebView can be updated on its own.
But what can you do today? The drastic solution is to root your smartphone or tablet and replace its existing out-of-date version of Android with KitKat from a third-party vendor such as Cyanogenmod.
The best and easiest way, though, is simply to download another Web browser. Personally, I recommend Google's own Chrome, but Firefox or Opera also work well. Each one is automatically kept up-to-date and none of them rely on the old, potentially vulnerable WebView.
Or, you can just relax. As Chris Boyd, malware intelligence analyst at Malwarebytes, noted: "Despite the potential risk of exploits and drive-by attacks, the most likely method of attack where Android is concerned is still fake or rogue application installs - typically by sites asking the device owner to allow installs from 'unknown sources.' So, if you just avoid sites offering up free versions of popular apps and games and always read the reviews on the Play store then most people will be as safe as they can be."
Personally, I never look for apps outside the Google Play Store or the Amazon Appstore for Android. Even so, I'd still upgrade my Android Web browser. Better safe than sorry.