Android Jellybean users told to ditch WebView for Chrome or Firefox
Google responds to criticism over decision not to patch older versions of WebView for Android
Google has shed some light on its decision not to patch older versions of WebView for Android, despite the move potentially leaving hundreds of millions of users vulnerable to security attacks.
Security researchers from Rapid7 confirmed earlier this month that Google will no longer be releasing patches for WebView on Android 4.3 Jelly Bean or earlier.
The decision came to light after the researchers uncovered a security flaw in the software, which is what Android devices use to display web pages, and was told by Google that it has no plans to patch Webview on older versions of Android.
When asked for confirmation, a statement from Android's security team said: "If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue [...] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well."
The researchers note that Google has changed the update policy due to third party devices with the Android Browser, which the company can no longer verify. "The best way to ensure that Android devices are secure is to update them to the latest version of Android," the response added.
The move leaves the majority of Android Devices unsupported. It recently came to light that just 0.1 per cent of Android users have upgraded to 5.0 Lollipop, and figures show that 39.1 per cent are currently using 4.4 KitKat, leaving more than 930 million phones now without official security patch support.
Google has come under fire for its stance on Webview updates, and has now made moves to explain to users why it's ceasing them for older devices.
In a Google+ post, Adrian Ludwig, lead engineer at Google for Android security, said it's not sustainable for the company to continue support for aged software.
"Until recently, we have provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month," he explained.
"In some instances applying vulnerability patches to a 2+ year old branch of Webkit requires changes to significant portions of the code and was no longer practical to do safely.
"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices," he added.
To protect themselves from security risks, he said users should install the Chrome of Firefox web browsers, as these are both regularly updated through Google Play.
"Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future," Ludwig continued.
"It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers."
This article was originally published on 12/01/15 but has been updated multiple times (most recently on 26/01/15) to reflect new information.
Application security fallacies and realities
Web application attacks are the most common vulnerability, so what is the truth about application security?Download now
Your first step researching Managed File Transfer
Advice and expertise on researching the right MFT solution for your businessDownload now
The KPIs you should be measuring
How MSPs can measure performance and evaluate their relationships with clientsDownload now
Life in the digital workspace
A guide to technology and the changing concept of workspaceDownload now