Android Jellybean users told to ditch WebView for Chrome or Firefox

Google responds to criticism over decision not to patch older versions of WebView for Android

Google has shed some light on its decision not to patch older versions of WebView for Android, despite the move potentially leaving hundreds of millions of users vulnerable to security attacks.

Security researchers from Rapid7 confirmed earlier this month that Google will no longer be releasing patches for WebView on Android 4.3 Jelly Bean or earlier.

The decision came to light after the researchers uncovered a security flaw in the software, which is what Android devices use to display web pages, and was told by Google that it has no plans to patch  Webview on older versions of Android. 

When asked for confirmation, a statement from Android's security team said: "If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue [...] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well."

Advertisement - Article continues below

The researchers note that Google has changed the update policy due to third party devices with the Android Browser, which the company can no longer verify. "The best way to ensure that Android devices are secure is to update them to the latest version of Android," the response added.

The move leaves the majority of Android Devices unsupported. It recently came to light that just 0.1 per cent of Android users have upgraded to 5.0 Lollipop, and figures show that 39.1 per cent are currently using 4.4 KitKat, leaving more than 930 million phones now without official security patch support.

Google has come under fire for its stance on Webview updates, and has now made moves to explain to users why it's ceasing them for older devices. 

In a Google+ post, Adrian Ludwig, lead engineer at Google for Android security, said it's not sustainable for the company to continue support for aged software.

"Until recently, we have provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month," he explained.

"In some instances applying vulnerability patches to a 2+ year old branch of Webkit requires changes to significant portions of the code and was no longer practical to do safely.

"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices," he added. 

To protect themselves from security risks, he said users should install the Chrome of Firefox web browsers, as these are both regularly updated through Google Play. 

"Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future," Ludwig continued.  

"It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers."

Advertisement - Article continues below

This article was originally published on 12/01/15 but has been updated multiple times (most recently on 26/01/15) to reflect new information. 

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
public cloud

Vodafone launches 'Neuron' platform with Google Cloud

20 Nov 2019
hybrid cloud

Google Cloud ramps up its migration partnerships

20 Nov 2019

Can Google Stadia finally bring success to cloud gaming?

18 Nov 2019

Most Popular

mergers and acquisitions

Xerox threatens hostile takeover after HP rebuffs $30bn takeover

22 Nov 2019
data breaches

T-Mobile data breach affects more than a million users

25 Nov 2019
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019
IT infrastructure

TSB payment delays suggest second IT meltdown

22 Nov 2019