2 min read

Google endangers 900 million Android smartphones, by refusing to patch WebView


January 14, 2015

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Google endangers 900 million Android smartphones, by refusing to patch WebView

Do you have an Android smartphone or tablet? Have you checked what version of the Android OS you are running?

Because if you are running Android 4.3 (aka Jellybean) or earlier I’m afraid there’s some bad news: you’re not going to be receiving any security updates from Google for WebView, a core component of the Android operating system used to render webpages.

In case you didn’t know, WebView is the tool within Android which allows apps to display webpages without you having to open a separate browser. And if WebView’s security holes aren’t patched and you happen to visit a poisoned webpage, your Android device could be hit by a drive-by download attack.

So, does it matter that Google isn’t patching WebView on older versions of Android?

I think so. Take a look at this graph, where Google’s own statistics show that the majority of Android devices (60% or so) are vulnerable because they are running pre-KitKat versions of Android.


In Android 4.4 (KitKat), Google switched to a Chromium-based version of WebView – which continues to be maintained.

Tod Beardsley, an engineering manager at Rapid7, broke the news of Google’s bizarre decision to no longer update WebView on Android 4.3 or earlier.

After informing Google’s security team about a newly-found vulnerability in versions of WebView prior to Android 4.4, Beardsley was told:

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Obviously, it’s not trivial to continue to support and update devices running legacy versions of an operating system. But with more than 900 million devices at risk, and Android smartphones and tablets continuing to be sold which have the older OS, this decision by Google is going to leave many in the lurch.

After all, if security is really important to you, the only options are to write a patch the vulnerability yourself (which Google apparently will be happy to receive), upgrade to a new smartphone or switch to a platform like iOS.

It’s a deeply troubling situation, and one that Beardsley hopes Google will reconsider:

“Google’s engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning…. I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”

Personally I find it ironic that Google has just criticised Microsoft for not issuing a security patch as quickly as it would have liked, when Google itself has silently dropped any future plans to *ever* provide WebView patches for the over 900 million Android devices out there.

Google, get your house in order. Stop throwing stones in glass houses, and show that you care about the security of those who have bought (and in some cases are *still* buying) devices running Android 4.3 or earlier.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like