Google explains why it's not fixing web security in old Android phones
You might not be happy that Google isn't fixing a web security flaw in your older Android phone, but the search giant now says that it has some good reasons for holding off. As the company's Adrian Ludwig explains, it's no longer viable to "safely" patch vulnerable, pre-Android 4.4 versions of WebView (a framework that lets apps show websites without a separate browser) to prevent remote attacks. The sheer amount of necessary code changes would create legions of problems, he claims, especially since developers are introducing "thousands" of tweaks to the open source software every month.
Ludwig suggests a few things you can do to avoid or mitigate problems, though. For a start, he recommends surfing with browsers that don't use WebView but still get updates, like Chrome (which works on devices using Android 4.0) and Firefox (which runs on ancient Android 2.3 hardware). Hackers can't abuse the vulnerable software if you're not using it, after all. The Googler also tells app creators to either use their own web rendering tech or limit WebView to pages they can trust, like encrypted sites.
The advice should help if you're either a tech-savvy user or write apps. However, it still hints that quite a few people will remain at risk until those older releases of Android ride into the sunset. Many Android device owners aren't aware of alternatives to the stock Android browser, or can't easily get them (you have to jump through hoops to install Chrome if you can't use the Google Play Store, for instance). Also, there's no simple way to tell whether or not an app is using WebView. The chances of an attack are low if you're careful, but it could take a long, long while before the majority of Android gadgets are truly safe from WebView-related web exploits.
Adrian Ludwig (Google+)
Ludwig suggests a few things you can do to avoid or mitigate problems, though. For a start, he recommends surfing with browsers that don't use WebView but still get updates, like Chrome (which works on devices using Android 4.0) and Firefox (which runs on ancient Android 2.3 hardware). Hackers can't abuse the vulnerable software if you're not using it, after all. The Googler also tells app creators to either use their own web rendering tech or limit WebView to pages they can trust, like encrypted sites.
The advice should help if you're either a tech-savvy user or write apps. However, it still hints that quite a few people will remain at risk until those older releases of Android ride into the sunset. Many Android device owners aren't aware of alternatives to the stock Android browser, or can't easily get them (you have to jump through hoops to install Chrome if you can't use the Google Play Store, for instance). Also, there's no simple way to tell whether or not an app is using WebView. The chances of an attack are low if you're careful, but it could take a long, long while before the majority of Android gadgets are truly safe from WebView-related web exploits.
Adrian Ludwig (Google+)
Jon Fingas
Engadget