ok google

Google Clarifies Stance On The WebView Security Issues On Jelly Bean And Older Devices

January 23, 2015 - Written By John Anon

A week or two ago reports started to emerge around Google and an issue with what is known as WebView. For those new to the back story, WebView is a feature which is utilised by third party apps, to display internet content without actually redirecting the user to an internet browser. Basically, think of it, as in-app web content. Well, the issue was that Google had officially stopped supporting updates for WebView for anyone using Android 4.3 (Jelly Bean) and lower. So if you were running that version of Android, then WebView (which by the way, is one of the more hacked doors of android) was no longer being updated. What really caught the public’s attention though, was that although Google ‘officially’ stopped supporting WebView security updates, they had not actually informed the public. It was only by chance when a developer who noticed an issue with WebView and informed Google, that the news broke and the information came to light. They did however, state that developers were welcome to fix patches themselves, which further seemed to aggravate the situation.

We did point out, that although Google had stopped updating WebView for Jelly Bean and lower, that it was effectively not their fault. Once a device hits a certain age (typically thought of as 2 years old), then manufacturers (OEMs) tend to stop providing updates. As it is those OEMs who actually supply any patches, even with Google supplying fixes, then chances are the user won’t receive the update anyway. You can read our full report on the ‘who is to blame’ by clicking here. Well, it seems Google have been getting quite a bit of flak about the whole thing since the news broke, as they have now released a semi-official response to the situation.

The Google+ posting, by way of Adrian Ludwig (source link below) effectively confirms that Google will not be supporting Jelly Bean and lower running-devices, in terms of updates to its WebView. The posting does note that it is just not practical for them to do so to an operating system of that age group “applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely‘. To add to this, the posting does also suggest ways in which a user on such operating systems can “mitigate” themselves from the vulnerability. The main suggestion being to only use a browser which provides its own “content renderer” and is “updated frequently”. The posting goes on to recognise, both Chrome and Firefox as perfect examples of such browsers. Interestingly the posting does finish up by offering suggestions as to how developers can also help users avoid complications with the WebView vulnerability. Such as only using ‘trusted content’ and that they should consider using their own content renderer to maximise the level of security. So, what do you think of the latest response on the matter? Let us know your thoughts? You can read the full response by clicking the source link below.