If you are still waiting for Google to do something about the WebView vulnerabilities in older Android releases, you may not be a fan of their official response to the matter. Google says they’ve already fixed it, sort of, but at least offered ways that you can protect yourself and your data going forward.
In a recent Google+ post, echoing an older DevBytes video and our own take on the matter, Google has addressed the WebView issues that have been of growing target for complaints of the free and open source Android OS. Android releases prior to KitKat, that is, versions 4.3 and older, have a known code injection flaw in the WebView element.
WebView is a tool within Android that allows apps to display web content within the app, you’ve all seen these before as ads at the bottom of a free game or an in-app web based help page. Although the Google+ post goes on to describe a few best practices, the underlying message is unforgiving and clear, WebView is broken, so don’t use it.
WebView is broken, don't use it
Perhaps Google’s advice is easier said than done, especially for the casual gamers in the crowd, but disabling the default Android browser and installing Chrome, Dolphin or another full web browser is good advice regardless the issues. Developers, please familiarize yourself with the best practices for your apps, to keep us secure.
Now, didn’t you say that Google fixed the issue? Well, yes, sort of. Google took the time in the Google+ post to explain that they have limited resources for working on older versions of Android. Plainly put, Android 4.4 KitKat included the fix to the WebView bug. Keeping in mind that KitKat is over a year old now itself, having been through versions up to 4.4.4 before giving way to Android 5.0 Lollipop, which is also a couple versions in already. Android 5.0.2 Lollipop is already shipping out to some devices.
Bottom line, users of devices running Jellybean and older are just out of luck. Please take the precautions discussed, or have a look at installing a custom ROM, if one is available for your Android unit.
Is this an acceptable response from Google, or should they dedicate more staff to fixing older Android releases? Before you answer, I might suggest taking a look at the latest Android distribution numbers.