Skip to main content

Understanding WebView and Android security patches

A recent revelation that Google is no longer developing security patches for the "WebView" component of Android in Jelly Bean and earlier has once again put a spotlight on Android security, and the challenges involved with securing the one billion or so active devices. First revealed by Metasploit on Jan. 12, Google's stance on updating this central Android component has been widely reported in the following days.

So what exactly is WebView, and what does Google's stance on WebView updates mean for Android device owners? And if you're still running Jelly Bean, what can you do to mimimize the risk? We'll take a detailed look after the break.

First things first: What is WebView?

Viewing a web page in anything besides Chrome? Chances are you're looking at a WebView.

WebView is the part of the Android OS responsible for rendering web pages in most Android apps. If you see web content in an Android app, chances are you're looking at a WebView. The major exception to this rule is Google Chrome for Android, which instead uses its own rendering engine, built into the app. (The same goes for some third-party Android browsers like Firefox.)

In older versions of Android (4.3 and below), WebView uses code based on Apple's Webkit — the same tech behind the Safari browser. In Android 4.4 and above, WebView is based on Chromium, the open-source base of Google Chrome (which uses Google's Blink engine.). In Android 5.0, WebView was broken out as a separate app, presumably to allow timely updates through Google Play without requiring firmware updates to be issued.

What's going on?

Security researchers from Metasploit, after discovering several security exploits in Android 4.3's WebView component and submitting them to Google, have published an email from security@android.com revealing that Google generally doesn't develop patches for pre-Android 4.4 versions of WebView.

The email excerpts published by the outlet read:

"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."

Jelly Bean statue

Why is it bad?

As Metasploit points out, more than 60 percent of active Android devices are currently running Jelly Bean (Android 4.1-4.3) or earlier, potentially leaving them open to web-based nasties when browsing through a WebView. This is particularly worrisome for those on Android 4.3 and below using built-in web browsers from manufacturers like HTC, Samsung and LG (to name but three), which use WebViews to display content from the web.

The fact that Google isn't actively developing fixes for older WebView implementations means it's up to OEMs to patch this stuff on their own.

Android 4.0-4.3 owners using non-WebView browsers like Chrome or Firefox won't be exposed to these vulnerabilities when using their web browser of choice. However they could still be at risk if a third-party app's WebView directs them to a malicious site. This is less likely than running into malware in the course of regular web browsing, however given that high-profile apps like Feedly and Facebook use WebViews to display third-party content, it's far from impossible.

Android platform numbers for month ending Jan 5 2015

Android platform version numbers for month ending Jan. 5, 2015.

Why it sort of makes sense (or: the reality of updating Android)

The real problem isn't that Google won't update WebView, but that so many devices are still running Android 4.3 and below.

It's easy to confuse the symptom — WebView vulnerabilities — with the root cause. The real problem isn't that Google won't update Jelly Bean's WebView, but that so many devices are still running Android 4.3 and below with little prospect of being updated, regardless of whatever action Google might take. Even if Google were to issue patches for Jelly Bean's WebView code (and Ice Cream Sandwich's, and Gingerbread's), users would still be waiting on OEMs (and carriers) to push out firmware updates, just as they're waiting on Android 4.4 today. And if the manufacturers of these devices were inclined to push out updates at all, chances are they wouldn't be stuck on Android 4.3 or earlier to begin with.

See more

From Google's perspective, the fix for this issue was released more than a year ago with the arrival of Android 4.4 KitKat. In an ideal world, that would be the patch OEMs applied to their Jelly Bean phones, and as a result nobody would be running Android 4.3 or below more than a year after 4.4 became available. Unfortunately, despite efforts on multiple fronts, Android updates remain something of a crapshoot.

But there is a silver lining — Google's taking steps to ensure WebView is easier to patch in Android 5.0 and beyond.

Chrome Android

What now?

Because Google won't be developing patches to Jelly Bean's WebView, it's up to OEMs to develop and roll out their own fixes on affected phones and tablets. Given that these devices are already running a fairly old version of the OS, we're not holding our breath for manufacturers and carriers to deploy anything in a timely manner. And to be clear, that would likely be the case regardless of whether Google developed its own Jelly Bean WebView patches or not.

Google's already taken steps to make sure WebView can stay up to date in Lollipop.

If you're running Android 4.3 or below, we'd recommend switching to a browser that doesn't use WebView, such as Google Chrome or Mozilla Firefox. As for protecting yourself in other apps that use WebViews, it's always a good idea to only install apps you trust, and to take basic precautions when browsing the web. Facebook, for instance, lets you disable its built-in browser and open web links in your browser of choice.

As a web-facing part of the Android OS that's difficult to update, WebView is an obvious target for anyone wanting to find Android exploits that affect a large number of people, and that can't be immediately nullified by an app update. That's surely why Google has made it possible to update WebView independently of the OS in Android 5.0 and beyond. If similar vulnerabilities were discovered in Lollipop's WebView, Google would simply push out an update through the Play Store and be done with it. However, due to the nature of Android, it's going to take time for Lollipop to become anywhere near as widespread as Jelly Bean. And that means it could be years before the majority of Android users benefit from the new, modular WebView implementation.

Alex is global Executive Editor for Android Central, and is usually found in the UK. He has been blogging since before it was called that, and currently most of his time is spent leading video for AC, which involves pointing a camera at phones and speaking words at a microphone. He would just love to hear your thoughts at alex@androidcentral.com, or on the social things at @alexdobie.

64 Comments
  • Considering that SD Card issues are present with Kit Kat, I would say everything should just skip to Lollipop. The issue will fix itself over time. Just upgrade to a Lollipop OS or higher device when your Jelly Bean is in need of replacement and use Chrome or FF in the interim.
  • Sounds simple but, between Samsung and Verizon, I doubt I will see a Lolipop update for a very long time! Therefore I have no choice but to either go with the shipped 4.3 or latest 4.4.2 build that my Note 3 has available (stupid Samsung/Verizon locked the bootloader of the phone so you're stuck with TouchWiz based custom roms).
  • People still use SD cards? Wow. I thought it was 2015.
  • Is this a serious comment? I know cloud storage prices aren't outrageous, but yeah, some people really like having books movies and music and many other things such as twrp or cwm backups handy without having to download or potentially pay monthly for Posted via Android Central App
  • Yes it was a serious question. The common format for SD cards is fat32, which doesn't support permissions. This makes it a terrible means of storage in a smartphone. I have had the Nexus 4 and 5, and have never wanted an SD card. And yes, I do twrp backups, so I know all the gigabytes they take up.
  • It's easy for someone who doesn't store a lot of music. I have 50 gigabytes of music, and I don't want to waste my money on paying for more data to stream my music, and that's why I have a SD card. Posted on my Galaxy S5
  • Do you honestly store your whole library on your phone? I've got a 32GB Moto X, and I pin my perennial playlists and then I pin whatever I'm currently listening to and allow Google Play Music to cache whatever else sneaks through my queue. Haven't run out of storage yet.
  • Well I put movies, music, photos on my tab and the 16 gig I have (a lot less left after the os and apps install) will fill up pretty quickly. I just don't care about fat32 and permissions. That's music and movies for which I have plenty of backups. It's not my backup system. It's not my bank account that I'm storing on the SD card. Wake the fuck up.
  • Dont worry, its only a nub who posted that comment lol.
    A phone HAS TO HAVE a micro sd slot.
    People who are more productive than others find it useful .
    Also, jusr because you have 32gb? 64gb phone, what are you gonna do when you dont have enough space left???
    OOPS! You wanna delete some shyt?! Be my guest , while i still have all my stuff. All i gots to do is insert a micro sd card :D
  • yea that's a bit of an idiot comment. I don't want an SD card in my device, just give me 32 or 64GB of onboard storage and that's fine. I'd actually personally prefer we get rid of SD card support in Adnroid altogehter, it would solve more problems than it creates actually. BUT. There are those who swear by SD card support in their devices, and I'm happy that there are devices and solutions that work for them. That's part of what makes Android the OS that over a billion people use. Just because I don't like something doesn't mean someone else can't. If Joe Smith wants an SD card on his device, all the power to him. I'm glad he has the ability to do it.
  • Wow, what a stupid comment! Are you really thinking that I'm gonna keep my giga bytes of documents, photos, music, movies in the cloud? LO fuckink L.
  • & what if the provider that had an exclusive supply deal with the OEM of a phone you bought, & then they fell out.
    Resulting in my RAZR M being hung out to dry on 4.1, fuck you Telstra Posted via the Android Central App
  • So really, Google is taking the heat for OEM an carriers?
    Whom both stand in the way of needed goal to some degree. Whom both should offer a newer handset at sharply reduced cost!
  • All this is just another reason to avoid OEMs who don't update in a timely manner.
  • If it is easy for Google to patch they should do it. I bet MS and Apple would. But alas, Google can do no wrong. Blame it on the OEM partners.
  • +1000, any argument to the contrary is simple fanboyism. Long past believing Google can do no wrong. When 60% of your user base is vulnerable you fix it period. And this after throwing Microsoft under the bus. Posted via the Android Central App
  • Did you even read the article? Google could fix it. By updating AOSP. But then what. Hmm? It's still up to the OEM to merge the fix into their custom rom (Sense, Touchwiz, etc) and work with the carriers to push a patch out. Google can't just push a magic button and fix this issue on every old phone (seems like they have this ability in Lollipop though). Ultimately, it IS the OEM's job. Stop creating fake drama.
  • I completely disagree, and here's why: Google builds and releases an open-source operating system, with no expectation or involvement in the way that OEMs push that OS to their devices. The only involvement on Google's part is at the point where Google allows their apps (Play Store and Play Services to be specific) onto the device. If the OEMs are going to be lazy and decide that 12-18 months is the maximum amount of time that they're going to release OS updates for those devices, then the brunt of any security holes or bugs falls on them for deciding to no longer support that hardware. Furthermore, if Google goes back and supports those older Android versions, after being very clear about their update structure (and also having developed 4.4, 5.0, 5.0.1, and 5.0.2 in the two years following the affected Android versions), then they are submitting to the shitty update timelines of the OEMs, which will do nothing less than very seriously damage the power Google wields over the OEMs. Google should absolutely stand their ground here and hold the manufacturers accountable for not fully supporting their devices for the life of those devices. The fact of the matter is that these devices tend to last much longer than the 18 months that the OEMs offer support for, and that's bad business. If the traditional user is buying a device with a 2-year contract attached to it, there should be some degree of security in the fact that said device will be supported at least as long as the contract... Slap the OEMs on the wrist over this, not Google. Google fixed this issue in November of 2013!
  • The patch was already made a year ago. It's named Android 4.4 Kit Kat. Should OEMs take that patch and distribute it, the problem would be solved.
  • It's much easier to update to a patched 4.3 build than it would be to update to 4.4.
  • And in whom lies the task of patching a 4.3 build? Google already did it, its 4.4. It has been available for over a year. Even if Google did put a patched 4.3 build out in the open, it would be stuck in the same limbo as all Android updates thanks to OEMs and carriers.
  • So should Microsoft stop providing security updates for Windows 7 just because Windows 8 has come out?
  • That's not even close to the same thing. Microsoft CAN directly patch WIndows 7. Google CANNOT directly update Android on OEM partners' phones. They CAN patch AOSP. And then the OEM partners can make a new build, test it, submit it to carriers, have it tested, certified.... and released.
  • But they haven't even patched AOSP, even though they could. Posted via the Android Central App
  • You're missing the point. There is no point in updating AOSP because OEMs aren't going to update the OS and custom ROMs are using 4.4 or 5. The people who update frequently have the fix, and people who don't get the fix would never get it even if Google updated AOSP. Posted on my Galaxy S5
  • Microsoft has direct control over distribution for updates for their own operating systems.
    Google doesn't. Even if they did patch 4.3 and made it available for all manufacturers it would not change the situation. Users that still have 4.3 would still be waiting for eternity for OEM to do their job and give some support.
  • If it can't be updated through play services, what do you want Google to do exactly? Google is far from perfect, they've done a lot I don't like of late. But maybe the reason the blame is being placed on OEMs and carriers is because it's their fault. Wubba lubba dub dub!
  • Who has time to actually read articles. Let's just comment about what we want it to say!
  • Agreed. This article has so much spin, I bet you could attach a generator to make some green energy. It's like MS telling people that to fix a vuln in Win7, they should upgrade to Win8. Let's see how that one flies. Not everyone could fork out the cash to bypass the fact that OEM dropped support for it. And even then, being able to upgrade can be more of a curse. I upgraded my Nexus 5 to 5.0 and something keeps slowing it down. Not everyone wants to be on the bleeding edge.
  • The problem with your analogy is that Microsoft has full control over windows as it is a closed system, they are free to update and modify it in whatever way they want. Google on the other hand only controls updates for a small number of android devices, it's up to HTC, Samsung, Motorola et al to release their own software updates. Wubba lubba dub dub!
  • Yeah, who does Microsoft have to go through to push updates to their OS? Oh yeah, nobody because it's a closed system and they have complete control over updating. Posted on my Galaxy S5
  • True but then you get to Windows Phone. One example, Verizon and the Lumia Icon. OEM's need to up their game. You can say lots of things about Apple but they sure have the updating procedure worked out even with server overload. Posted via the Android Central App
  • Did you read the article? Google has made the patch available for over an year now, it's the carriers and OEMs that are holding out on consumers. If you own anything other than a Nexus, GPe device or Motorola's latest then you know Google doesn't roll updates straight out to OEM devices. Posted via Android Central App
  • Actually WebView isn't all that common in apps. I can't think of a single app I uses that has a WebView in it.
  • Pretty sure both the eBay and Amazon apps use webview. eBay a little, Amazon a lot. They shouldn't, but they do. I don't know if you use those apps, but you'd have a hard time arguing that they're unpopular. Wubba lubba dub dub!
  • The post says that Facebook uses WebView to display third-party content. Unless Alex is incorrect about that, WebView is used by one of the most popular and most-used apps in the Play Store.
  • Doesn't pretty much anything that used Phonegap qualify since it internally used Webview for content display? There are a metric assload of Phonegap-based applications out there.
  • The Android central app use as web views, for sure the login pages for other services. Posted via the Android Central App
  • Google should have made webview auto update right from the start.
  • Agree, considering the type of component it is. At least it's not going to be an issue from Lollipop onwards.
  • I wonder if it is in the OEM's and the Carriers interest to not update driving customers to buy new equipment. I have a Sammy Tab 2 10.1 that will never come off of 4.2
  • People just need to use Chrome or Firefox as their main browser...even on older Android OS-es. Posted via Android Central App on Nexus 5 or LG G2
  • What about Google's *own* Jellybean devices - e.g. the Galaxy Nexus. Who's supposed to issue the fix for that? Oh, right. You're just supposed to junk it and get a newer device. That's the only thing I seriously hate about Android. If you're not going to update your device OS, you need to issue security updates to the OS it's running. For more than 2 years. Okay, the G-Nexus is coming up on 3 years old, but it's still a quite viable device (easily as capable as a brand new Moto G) - and it's inexcusable to turn it into a malware vector out of laziness, or cheapness, or whatever. If you're selling phones, support them. Nobody said that's an easy business to be in. But you're in it, Google.
  • The G-Nexus is over 3 years old. And in no way is it as capable as a new Moto G. The omap processor aged HORRENDOUSLY.
  • Perhaps. But my partner got his less than 3 years ago, and it still works practically as well as my Nexus 4. I've recommended that he replace it with a Moto G, so I guess it's nice to know that that will be a step up. But seriously, it's still a quite viable phone. He's only looking to upgrade because it refuses to charge all the way any more.
  • I'm surprised by your experience. My GNex is no where near as fast as my nexus 4. It lags like crazy, takes forever to open any modern app, and is an all around miserable experience to try and use as a daily driver. But if your partner's works, then great. But I doubt most poeple would consider it viable given the availability of phones like the Moto G
  • Galaxy Nexus is a turd next the 4. Horrible battery life and so slow.
  • Galaxy nexus was released November 2011 (more then three years) and it only stopped getting updates because the OMAP processor on it is not being supported anymore by Texas Instruments, meaning there's no drivers to make it work with the latest Linux kernels. Posted via the Android Central App
  • Good for Google. This is just another way they are sending the message to OEMs/carriers that not providing Android OS updates to devices is unacceptable, and I applaud them for it. If they want their devices to be secure, they can get off their asses and provide OS updates to the devices.
  • Its unfortunate that the architecture of the 4.x platform makes updating components problematic. However, I do feel that Google needs to be a little more mindful about "making available" a patch for security issues in the 4.x branch. Since carriers/OEMs are such babies about getting the latest out there its hard to fault Google for saying they won't maintain the older versions - but if there is a major security exploit of a large portion of the Android population - not updating just isn't very responsible.
  • If OEMs won't provide these updates, they should willingly (or through class action lawsuits) be compelled to unlock the boot loaders Posted via Android Central App
  • This article seems to ignore / gloss over the fact that Google's stance is fairly reasonable considering AOSP vs. Google portions of Android. Since the WebView in 4.4+ is chromium based, it automatically benefits from Google's improvements to Chrome. The 4.3- WebView is based on the previous browser core, just like the AOSP browser. Google built a basic browser that every user of AOSP gets for free and is OPEN SOURCE. Google's stance is "we're working on improving the Google browser, and the 4.4+ WebView gets all those improvements for free". Which is reasonable, as they say if someone finds an exploit they are welcome to contribute to the open source project / browser / WebView for AOSP (aka the whole point of an open source project). It would be nice if manufacturers submitted their patches back to AOSP, but unlikely since all manufacturers customize the browser beyond recognition too, or are using completely standalone codebases not based on the AOSP browser.
  • Sounds like people want the OEMs to be responsible for fixing vulnerabilities in Android. That's Google's responsibility.
  • The OEM decided to download the free code, create a device with it, sell it for money and not update it after. How come is Google responsibility? Posted via the Android Central App
  • I didn't say Google was responsible for OEM updates. I said Google was responsible for vulnerabilities in their own code.
  • FWIW, the code in question has been depreciated and is no longer in use. The people using it to make money had plenty of warning that it was to be sent out to pasture.
  • And the vulnerability was fixed, it's called Android 4.4 Posted via the Android Central App
  • Thanks for doing this article. I was going to ask you to do one after I saw doomsday headlines and article from a website aimed at non-technical people. I knew you would give a reasoned explanation of if the threat was real or what steps to take. Posted via the Android Central App
  • Google has a history of updating their apps to the point of not being compatible with earlier versions, to the point of breaking those earlier versions. This doesn't surprise me. I have a moto g, that I will not root, install a rom on, etc.. Not because I don't want to, but for the very reason that the phone that I have done that to(a 21/2 year old alcatel) was bricked by the new initiative to make all apps material designed. No more sync, playstore, accounts, etc.. , all from updating apps from google. Everything worked wonderfully, until the playstore decided to update itself, then constant forceclosures, every 5-6 seconds( didn't even touch the phone, it was on automatic update). So, yes I can believe this article.
  • You can turn off automatic updates. That's really bogs phones if you don't have a capable device like an Alcatel and uses battery life more considerably than having it off. Posted via the Android Central App
  • My Sim card locked puk code send please my mobile phone number 8186109633
  • Model sumsungs note edge
  • Google and the forums are your friend plus is it really smart to put your own personal phone number if it's even real online where the entire world can see it? Gotta learn your internet privacy chap. Don't post personal information. Posted via the Android Central App
  • I would like to point developers using the WebView to check out the Crosswalk WebView: http://www.crosswalk-project.org It is based on Chromium and updates just as regularly as Chrome on Android. It is possible to distribute the WebView with your app and thus decide when you are ready to upgrade. Today it is used by Sencha Spaces, AppGyver, famo.us, Ionic and others, incl Google for their mobile ChromeApps on Android. It works on Android 4.x and up and is being developed by a group of engineers at the Intel Open Source Technology Center http://01.org but also sees contributions from Samsung (Tizen support etc).