Best Practices for Implementing Security Awareness Training » Download Free Whitepaper
Welcome Guest | Sign In
Salesforce Commerce Solution Guide

Google Gives WebView the Cold Shoulder

By Richard Adhikari
Jan 30, 2015 5:00 AM PT

Google has decided not to fix vulnerabilities in WebView for Android 4.3 and older, sparking heated discussions among developers.

Google Gives WebView the Cold Shoulder

Those versions of WebView run on the WebKit browser. Fixing them "required changes to significant portions of the code and was no longer practical to do so safely," Adrian Ludwig, lead engineer for Android security, explained last week in a post.

Ludwig recommended steps users and developers can take to mitigate the potential exploitation of WebView vulnerabilities without updating to Lollipop, or Android 5.0.

The decision will leave 930 million users of Android devices in the lurch, Tod Bearsley warned earlier this month.

Let 'Em Eat Cake!

Users should employ a browser that has its own content renderer and is regularly updated, Ludwig suggested.

Chrome and Firefox are securely updated through Google Play, he pointed out. Firefox is supported on Android 2.3 and higher, while Chrome is supported on Android 4.0 and higher.

Consumers should load content only from trusted sources, Ludwig advised.

Developers should "confirm that only trusted content ... is displayed within WebViews in their application," he said. They should consider providing their own renderer on Android 4.3 and earlier so they can update it with the latest security patches.

Everybody's Going for Shiny New Stuff

"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices," Ludwig observed.

Android 4.4, aka "KitKat," introduced a new WebView component based on the Chromium open source project. It includes an updated version of the V8 JavaScript engine and support for modern Web standards not in the earlier version of WebView.

However, Google's own statistics tell a different tale.

Figures from a seven-day period ending Jan. 5 posted on the Android Developers Dashboard indicate Jelly Bean had 46 percent of the market and KitKat 39 percent. Ice Cream Sandwich had 6.7 percent and Gingerbread 7.8 percent. Lollipop didn't make the cut for the dashboard, which doesn't display any versions with less than 0.1 percent distribution.

In other words, a good 60 percent of Android users are at risk from WebView flaws.

Still, "generally speaking, Google can't go back and support all the old versions," said Al Hilwa, a research program director at IDC.

"You have to have a cutoff at some point and go forward," he told TechNewsWorld. "That's pretty normal for the industry."

Reactions to Ludwig's Ideas

"Telling app developers to just provide your renderer rather than you guys handling your own screw-ups? What a joke," wrote Jake Weisz in response to Ludwig's post. Stating the fix is expensive or difficult "is not an excuse because it's Google's responsibility."

Also, "as a developer of an app that renders content from the open Web, I feel like [the suggestion devs provide their own renderer] badly misrepresents and underestimates the work involved in such a task," Chris Lacy wrote. "Building and shipping a Web render is an absolutely massive task."

From a developer perspective, "it isn't right for Google to not provide backward compatibility or at least a support library for most of the vulnerabilities," said Anirudh Pothani, head of Android development at Copper Mobile.

"This isn't the first time Google has done something to make developers' lives hard by not providing backward compatibility," he told TechNewsWorld.

In most cases, developers "might require a custom implementation of the WebView" to patch the vulnerability, Pothani said.

However, most developers might not do anything to fix the problem, because the independents might not have the time to write their own WebView, he noted, while for corporate devs, most companies "do not provide adequate time to fix issues which might need them to rewrite the core framework being used in their app."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Salesforce Commerce Solution Guide
Has technology made transportation more or less safe?
Traveling by all modes of transportation has become riskier with each passing year.
In general, transportation safety has been improving steadily, despite some failures.
Some modes of transportation have been improving while others have become less safe.
We may have reached a tipping point where more tech means less safety.
Don't blame the tech -- greedy companies haven't done adequate testing.
Government regulators have not been playing a strong enough oversight role.
Salesforce Commerce Solution Guide