Google has decided not to fix vulnerabilities in WebView for Android 4.3 and older, sparking heated discussions among developers.
Those versions of WebView run on the WebKit browser. Fixing them “required changes to significant portions of the code and was no longer practical to do so safely,” Adrian Ludwig, lead engineer for Android security, explained last week in a post.
Ludwig recommended steps users and developers can take to mitigate the potential exploitation of WebView vulnerabilities without updating to Lollipop, or Android 5.0.
The decision will leave 930 million users of Android devices in the lurch, Tod Bearsley warned earlier this month.
Let ‘Em Eat Cake!
Users should employ a browser that has its own content renderer and is regularly updated, Ludwig suggested.
Chrome and Firefox are securely updated through Google Play, he pointed out. Firefox is supported on Android 2.3 and higher, while Chrome is supported on Android 4.0 and higher.
Consumers should load content only from trusted sources, Ludwig advised.
Developers should “confirm that only trusted content … is displayed within WebViews in their application,” he said. They should consider providing their own renderer on Android 4.3 and earlier so they can update it with the latest security patches.
Everybody’s Going for Shiny New Stuff
“With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices,” Ludwig observed.
However, Google’s own statistics tell a different tale.
Figures from a seven-day period ending Jan. 5 posted on the Android Developers Dashboard indicate Jelly Bean had 46 percent of the market and KitKat 39 percent. Ice Cream Sandwich had 6.7 percent and Gingerbread 7.8 percent. Lollipop didn’t make the cut for the dashboard, which doesn’t display any versions with less than 0.1 percent distribution.
In other words, a good 60 percent of Android users are at risk from WebView flaws.
Still, “generally speaking, Google can’t go back and support all the old versions,” said Al Hilwa, a research program director at IDC.
“You have to have a cutoff at some point and go forward,” he told TechNewsWorld. “That’s pretty normal for the industry.”
Reactions to Ludwig’s Ideas
“Telling app developers to just provide your renderer rather than you guys handling your own screw-ups? What a joke,” wrote Jake Weisz in response to Ludwig’s post. Stating the fix is expensive or difficult “is not an excuse because it’s Google’s responsibility.”
Also, “as a developer of an app that renders content from the open Web, I feel like [the suggestion devs provide their own renderer] badly misrepresents and underestimates the work involved in such a task,” Chris Lacy wrote. “Building and shipping a Web render is an absolutely massive task.”
From a developer perspective, “it isn’t right for Google to not provide backward compatibility or at least a support library for most of the vulnerabilities,” said Anirudh Pothani, head of Android development at Copper Mobile.
“This isn’t the first time Google has done something to make developers’ lives hard by not providing backward compatibility,” he told TechNewsWorld.
In most cases, developers “might require a custom implementation of the WebView” to patch the vulnerability, Pothani said.
However, most developers might not do anything to fix the problem, because the independents might not have the time to write their own WebView, he noted, while for corporate devs, most companies “do not provide adequate time to fix issues which might need them to rewrite the core framework being used in their app.”