Google Responds to Concerns Over Widespread Android WebView Vulnerability

Google has issued a statement regarding the recently reported WebView security flaw that affects devices running Android 4.3 Jelly Bean and older versions, a flaw that potentially puts over 900 million users at risk. The statement is essentially a follow-up to the Android security team's earlier response that it is up to OEMs to address the issue, and that the company has already addressed the issue with the release of Android 4.4 KitKat and Android 5.0 Lollipop.

For those who are unaware, WebView is a part of the Android OS that lets app developers render webpages in apps without requiring a full browser. The component was based on the Webkit engine, which was replaced by Google's Chromium engine when Android 4.4 KitKat launched, resolving the reported vulnerability in WebView and also enabling quick binary updates to the component via OEM updates. Android 5.0 Lollipop then unbundled WebView from the operating system, allowing it to be downloaded and updated separately by users from Google Play - without requiring an OEM fix.

Adrian Ludwig, from Google's Android security team, in a Google+ post on Friday says Google issues bug fixes to the current version of Android on the Android Open Source Project (AOSP) page, and directly provides patches "Android partners with patches for at least the last two major versions of the operating system."

Ludwig said that improving WebView and browser security is one of the areas where the company has made the "greatest progress", detailing the changes made with Android 4.4 KitKat and Android 5.0 Lollipop. He added that it is no longer feasible to update more than 2-year-old versions of WebView, which has more than 5 million lines of code and has seen hundreds of new 'commits' a month from developers since then. Ludwig says it is up to the OEM to issue an update for the issue, ideally by updating the devices running on OS versions older than Android 4.3 Jelly Bean to Android 4.4 KitKat.

Users of Android 4.3 Jelly Bean and older devices can stay safe and unaffected by WebView bugs, Ludwig points out, by using browsers that have their own rendering engine, like Firefox or Chrome. "Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future," Ludwig added on his Google+ post.

It is the apps that open the web pages in their own inbuilt browser, which are vulnerable. Users can get rid of these apps or disable the inbuilt browser option from inside the app. Ludwig, for developers, added that they too can contribute in avoiding the WebView bug by following Google's "security best practices" and by making sure only trusted web pages with 'HTTPS' open in their applications.

To add some context, Google's latest distribution data of different versions of Android has revealed that Android 5.0 Lollipop, the latest publicly available version of Google's mobile and tablet operating system, is powering less than 0.1 percent of Android devices while Android KitKat has a total share of 39.1 percent. The distribution data of different versions of Android also revealed that Android Jelly Bean still powers the greater part of Android devices, with a combined percentage of 46 percent.

Interestingly, Google a company that says it will not be able to rollout a fix for the WebView bug to the majority of Android users has been lately publishing the OS security flaws of Microsoft and Apple, albeit after giving them 90-days to provide bug fixes. According to the latest report, Google has revealed two new flaws in Apple's OS X operating system. The search giant recently also revealed a number of security holes in Microsoft's Windows 7 and Windows 8.1 OS versions, despite Microsoft's request to hold off for a few days until the patch was rolled out.