Google will not address a vulnerability recently discovered in a major component of its Android operating system, WebView, for devices running versions 4.3 Jelly Bean or older. WebView is a component that allows developers to deliver a Web app as part of a client app.
According to the company’s lead engineer for Android security, Adrian Ludwig, it isn’t practical to address the vulnerability, despite it affecting more than 60% of users. The reason why the company will not be patching the security bug is because it is based in an older browser engine (WebKit), and fixing it would be too complex.
“Keeping software up to date is one of the greatest challenges in security,” Ludwig wrote on his Google+ page. “But WebKit alone is over 5 million lines of code, and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.”
Ludwig continued that the company has made great progress in KitKat and Lollipop, giving Android device manufacturers the ability to quickly provide binary updates of WebView.
“With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices,” he wrote.
While the company has decided not to patch WebView for versions 4.3 and earlier, Ludwig did provide some guidance for developers and users to mitigate the potential risks without having to update to Lollipop. Some suggestions included using apps that only loads content from trusted sources, using a browser that’s updated through Google Play, and making sure browsers are regularly updated and provides their own content renderer.
“Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future, it will also protect you against any issues that might be found in the future,” Ludwig wrote. “It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers.”
More information is available here.