900 Million Android users will have to deal with 4.3 WebView Remote Exploit

Upon discovering a webview vulnerability that affects android versions @Jellybean and below, they have made a business decision that the benefit will not reach  the level of effort required to patch the vulnerability.

The reasons given were:

Trend delta of versions, and attrition rate due to age.

Since the number of users of users on versions 4.3> are on the rise. While this is good, only 40% (and climbing) of Android users operate on this platform.

Number of Users vulnerable to the exploit is shrinking.


Android 5 will be available in a better selection. This will drive users to migrate.

Google would have to comb all of WebKit, which would be 5 million lines of code.

The internets is hard work, Im not going to disagree.

First, WebView. You  might run into a WebView environment when you are in a social application and tap on a web card link, and instead of a browser opening, the environment deploys its own viewer so that the user experience is more unified and consistent.

Risk Mitigation/Aversion

  1. If you don’t use applications like social media or webapps that utilize the class, you are ok.
  2. You have to be on an Android version  at 4,3 or less. That eliminates almost 40% of all Android Users.image
  3. Google stated they won’t patch it because they would need to comb 5 million lines of code. They might change their mind though.
  4. There are only about a billion Android users world wide.image
  5. Since 40% of Android users are safe from the remote attack, only 600 million have a chance to get exploited.


Adrian Ludwig, Android Security: Google INC

Following public discussion of vulnerabilities in versions of Webkit last week, I’ve had a number of people ask questions about security of browsers and WebView on Android 4.3 (Jellybean) and earlier. I want to provide an update on what we’re doing and guidance on steps that users and developers can take to be safe, even if your device is not yet running Lollipop.

Keeping software up to date is one of the greatest challenges in security. Google invests heavily in making sure Android and Chrome are as safe as possible and doing so requires that they be updated very frequently. With Google’s assistance, Android device manufacturers (OEMs) have been moving rapidly to improve the rate that devices are updated and to ship devices with the most recent versions of Android. We provide patches for the current branch of Android in the Android Open Source Project(AOSP)[https://source.android.com/] and directly provide Android partners with patches for at least the last two major versions of the operating system.

Improving WebView and browser security is one of the areas where we’ve made the greatest progress. Android 4.4 (KitKat) allows OEMs to quickly deliver binary updates of WebView provided by Google, and in Android 5.0 (Lollipop), Google delivers these updates directly via Google Play, so OEMs won’t need to do anything. Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely. With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.

There are also steps users and developers can take to mitigate the risk of potential exploitation of WebKit vulnerabilities without updating to Lollipop. Using a browser that is updated through Google Play and using applications that follow security best practices by only loading content from trusted sources into WebView will help protect users.

When browsing on any platform, you should make sure to use a browser that provides its own content renderer and is regularly updated. For instance on Android, Chrome [http://goo.gl/elSkZX] or Firefox [http://goo.gl/Q5X6e3] are both great options since they are securely updated through Google Play often: Chrome is supported on Android 4.0 and greater, Firefox supports Android 2.3 and greater. Chrome has been the default browser for all Nexus and Google Play edition devices since 2012 and is pre-installed on many other popular devices (including Galaxy devices from Samsung, the G series from LG, the HTC One series, and the Motorola X and G), so you may already be using it.

Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future. It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers.

If you are an application developer, there are also steps you should take to keep users safe. Application developers should make sure that they are following all security best practices[http://goo.gl/b6a3ta]. In particular, to resolve this issue when using WebView[http://goo.gl/FKeouw], developers should confirm that only trusted content (e.g. loaded from a local source or over HTTPS) is displayed within WebViews in their application. For maximum security when rendering content from the open web, consider providing your own renderer on Android 4.3 and earlier so that you can keep it up to date with the latest security patches.

Good luck Android users.

%d bloggers like this: