The alarm bell is once again ringing over Android security.
A Forbes report cites security experts dinging Google over the company’s decision to no longer issue security updates for WebView in devices running Android 4.3 (Jelly Bean) or lower.
WebView is a key component of the Android OS that lets apps show web content inside of an app instead of kicking you over to a browser. It may be used in RSS readers or other applications that connect you to web content—it’s often more convenient to read an article or fill out a form without needing to leave the app. However, the danger is that a hacker could exploit a vulnerability in WebView and sneak in some malicious code, thereby infecting your device.
With KitKat (Android 4.4), WebView is now based on Chromium, which powers the Chrome browser, making it more secure. In Lollipop (Android 5.0), Google unbundled WebView from operating system updates, so it can get regular security patches and performance improvements through Google Play. Chrome is a major piece of the Google empire, so it’s a high priority in terms of keeping things stable and secure.
That’s not going to help those using an older device. However, even if Google did issue a patch, it would require an OS update for you to get it on an older phone or tablet. There are millions of devices out there still running Jelly Bean, Ice Cream Sandwich, or even Gingerbread. Often hardware makers cut ties with older devices, hoping you’ll buy a new one. Once Google pushes out an update to Android, it’s up to the phone makers to decide who gets it.
So, while there are nearly a billion users in the world who will no longer receive WebKit security updates from Google, it’s certainly true that a huge portion of them are no longer getting OS updates at all, anyway. Thus the real impact of Google’s decision not to update WebKit for pre-KitKat devices is rather hard to measure.
It looks that Google is taking the long view with this issue, focusing its efforts on a better method for addressing WebView security than chasing flaws to make patches that wouldn’t get deployed to older phones, anyway. This latest security issue is another symptom of how large and fragmented the Android ecosystem really is.
Why this matters: Whether it’s fair or not, Android has been pegged as the “less secure” operating system when compared to iOS. Yes there are plenty of cheap Android phones that don’t get updates and are probably insecure, but by and large if you stick to one of the big-brand flagship devices and follow good security practices you should be all right.