Don't expect a patch for WebView in pre-KitKat Android devices

If you own an Android handset running a version of the open source operating system that predates Android 4.3 KitKat, you won't be the recipient of a patch for WebView, a component of Android that developers use to display web content in their apps. WebView is also the backbone of Android's built-in browser in all versions up to KitKat. Nevertheless, Google won't spend time plugging up any security holes for WebView in older Android devices because it's "no longer practical."
That may seem like sour grapes to anyone who owns one of the more than 930 million pre-KitKat Android devices in the wild, especially since researchers recently discovered a new vulnerability in WebView. Regardless, once notified of the bug, Google made it clear that no patch was coming. More recently, the company offered up an explanation as to why.
"Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier," Andrew Ludwig, Google's lead engineer for Android security, said in a Google+ post. "But WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely."
In contrast, Ludwig says that one of the improvements in KitKat is that OEMs can quickly deliver updates of WebView provided by Google, and in Android 5.0 Lollipop, those updates are delivered through Google Play, so OEMs can wipe their hands of them completely.
"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices," Ludwig added.
So, what can you do if you own an older Android device to avoid being a sitting duck? Ludwig recommends using an alternative browser, one that's updated through Google Play. There are various options, including Chrome (supported on Android 4.0 and up) and Firefox (supports Android 2.3 and up).
Image Credit: Flickr (Travis Wise)
Follow Paul on Google+, Twitter, and Facebook


More...