It used to be stated through Talk Android’s Jeff Causey on the twelfth of January (link here) that Google may now not be offering security updates to WebView on devices running Android 4.3 (Jelly Bean) and in advance. In reality, it's even deeper than that: Google may not be handling all of the WebKit for those versions any more, from which WebView is derived.
In a publish on Google+ lately, Android Security’s lead engineer, Adrian Ludwig, supplied explanation and steerage to the ones just about 1 billion tool house owners running Jelly Bean or in advance Android versions.
WebKit is a tool element for internet browsers that creates the format engine for the browsers to render internet pages. WebKit is used for each Google Chrome and Apple Safari, while Trident is used for Internet Explorer and Gecko is used for Firefox. WebKit could also be discovered within the browser used by the Tizen Operating System.
WebView, an element of WebKit, is what lets in apps to show internet pages inside the app itself. This is completed to stay the consumer inside the app, as an alternative of exiting the app you’re in and redirecting you to the browser app.
WebKit, and therefore WebView, is most commonly open-source, with firms like Google pitching in and assisting the improvement of the device. By finishing beef up for WebKit on Jelly Bean and in advance versions (from right here forth, S will simply say Jelly Bean), Google raised alarms that sure recognized exploits regarding WebView would possibly depart customers running Jelly Bean uncovered to malicious malware.
According to Ludwig, keeping up the legacy code for Jelly Bean in WebKit’s open-source setting used to be in reality developing extra security issues than leaving behind improve for it. Ludwig said, “Until just lately we've got additionally supplied backports for the model of WebKit that may be utilized by WebView on Android 4.3 and in advance. But WebKit on my own is over 5 million strains of code and loads of developers are including heaps of latest commits each and every month, so in a few cases making use of vulnerability patches to a 2+ yr antique department of WebKit required adjustments to vital parts of the code and used to be now not sensible to do appropriately.”
Ludwig went on to say that the most productive practices that a consumer of Jelly Bean devices can do is to open internet fabrics inside the Chrome or Firefox browser, that is up to date with the recent security patches without reference to what Android model they're running. This negates the power for any exploits made imaginable via WebView, which once more, is one thing that may be used inside 3rd-birthday party apps now not short of to redirect to the browser. “Using a browser that may be up to date thru Google Play and the use of programs that apply security absolute best practices by way of most effective loading content material from depended on resources into WebView will lend a hand offer protection to customers.”
For developers of apps keeping up improve on Jelly Bean devices, Ludwig encourages redirecting to the browser or ensuring WebView most effective accesses content material from native resources or over HTTPS. Additionally, he means that app developers abandon WebView altogether and as an alternative include a website renderer of their very own layout so they may be able to care for security patch updates on their very own.
Adrian Ludwig got here to Google after serving in technical management positions held at Adobe, Macromedia, and Joyent. He additionally labored for the National Security Agency. Since his arrival on the Android Security workforce, he’s been very vocal approximately Android’s minuscule vulnerability to malicious assaults.
During a speech to the Virus Bulletin convention in Berlin again in 2013, Ludwig claimed that Google and its knowledge-pushed method made it extraordinarily tricky for it to be attacked via malcontents. He additionally mentioned the numerous layers of security which might be in position to save you malware from discovering its means onto your Android tool.
Source: Adrian Ludwig via Google+