It was reported by Talk Android’s Jeff Causey on the 12th of January (link here) that Google would no longer be providing security updates to WebView on devices running Android 4.3 (Jelly Bean) and earlier. In fact, it is even deeper than that: Google will not be managing the entire WebKit for these versions any longer, from which WebView is derived.
In a post on Google+ today, Android Security’s lead engineer, Adrian Ludwig, provided clarification and guidance to those nearly 1 billion device owners running Jelly Bean or earlier Android versions.
WebKit is a software component for web browsers that creates the layout engine for the browsers to render web pages. WebKit is used for both Google Chrome and Apple Safari, whereas Trident is used for Internet Explorer and Gecko is used for Firefox. WebKit is also found in the browser utilized by the Tizen Operating System.
WebView, a part of WebKit, is what allows apps to display web pages inside of the app itself. This is done to keep the user inside of the app, instead of exiting the app you’re in and redirecting you to the browser app.
WebKit, and thus WebView, is mostly open-source, with companies like Google pitching in and supporting the development of the software. By ending support for WebKit on Jelly Bean and earlier versions (from here forth, I will just say Jelly Bean), Google raised alarms that certain known exploits involving WebView may leave users running Jelly Bean exposed to malicious malware.
According to Ludwig, maintaining the legacy code for Jelly Bean in WebKit’s open-source environment was actually creating more security issues than abandoning support for it. Ludwig stated, “Until recently we have also provided backports for the version of WebKit that is used by WebView on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.”
Ludwig went on to say that the best practices that a user of Jelly Bean devices can do is to open web materials inside of the Chrome or Firefox browser, which is updated with the latest security patches regardless of what Android version they are running. This negates the ability for any exploits made possible by WebView, which again, is something that is used inside of third-party apps not wanting to redirect to the browser. “Using a browser that is updated through Google Play and using applications that follow security best practices by only loading content from trusted sources into WebView will help protect users.”
For developers of apps maintaining support on Jelly Bean devices, Ludwig encourages redirecting to the browser or making sure WebView only accesses content from local sources or over HTTPS. Additionally, he suggests that app developers abandon WebView altogether and instead incorporate a webpage renderer of their own design so they can maintain security patch updates on their own.
Adrian Ludwig came to Google after serving in technical leadership positions held at Adobe, Macromedia, and Joyent. He also worked for the National Security Agency. Since his arrival on the Android Security team, he’s been very vocal about Android’s minuscule vulnerability to malicious attacks.
During a speech to the Virus Bulletin conference in Berlin back in 2013, Ludwig claimed that Google and its data-driven methodology made it extremely difficult for it to be attacked by malcontents. He also pointed out the many layers of security that are in place to prevent malware from finding its way onto your Android device.
Source: Adrian Ludwig via Google+
Come comment on this article: Android Security lead engineer provides further insight to WebView security issues on devices running Jelly Bean and older versions
Visit TalkAndroid for Android news, Android guides, and much more!
