It hasn’t been long since there was a bit of uproar about Android security. In particular, concerns centred on the older version of WebView that forms a part of Android 4.3, which is no longer being actively maintained by Google.
WebView? WebView was a system component (it now is updatable separately from the OS) that allows 3rd party apps to display web content within their app without having to code an entirely separate web browser component. You might have seen WebView in a Twitter client (for example) operating as an internal browser.
First of all, why isn’t it updated? Well, before Lollipop, WebView was a system component, meaning that it couldn’t be updated without updating the system itself. In practical terms, this meant that unless an OEM released an updated Android system image for a given device, WebView could not be updated. Google’s position has been (and remains) that it isn’t practical to integrate security patches from the Webkit community — which has hundreds of developers and thousands of changes each month — with a software version that’s now two years old.
Further than that, even if Google were to accept a Webkit change and integrate it with the older WebView code, it wouldn’t achieve much; without an OS update that included these changes, older devices wouldn’t benefit from it anyway.
Google’s standpoint appears to be that there is an update to WebView and other issues that arise in the older Jelly Bean systems; that update was called KitKat. In other words, if your OEM hasn’t seen fit to roll-out a KitKat update to your phone, then it’s their fault that your WebView is out of date, not Google’s, and that’s probably fair. Better news is that KitKat’s WebView is more easily updated — Android 4.4 (KitKat) allows OEMs to quickly deliver binary updates of WebView provided by Google, and in Android 5.0 (Lollipop), Google delivers these updates directly via Google Play, so OEMs won’t need to do anything.
So what can you do about it if you’re on an older Jelly Bean device that can’t be updated? You’ll need to take a couple of precautions, but it’s not hard. If you’re truly worried, don’t use apps that have an embedded browser; use a browser that has its own rendering engine built in that’s more up to date, such as Chrome or FireFox. Google’s Android Security spokesperson Adrian Ludwig advises:
When browsing on any platform, you should make sure to use a browser that provides its own content renderer and is regularly updated. For instance on Android, Chrome [http://goo.gl/elSkZX] or Firefox [http://goo.gl/Q5X6e3] are both great options since they are securely updated through Google Play often: Chrome is supported on Android 4.0 and greater, Firefox supports Android 2.3 and greater. Chrome has been the default browser for all Nexus and Google Play edition devices since 2012 and is pre-installed on many other popular devices (including Galaxy devices from Samsung, the G series from LG, the HTC One series, and the Motorola X and G), so you may already be using it.
Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future. It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers.
As with all things, being careful online is the number one defence.