Google has issued a statement regarding the recently reported WebView
security flaw that affects devices running Android 4.3 Jelly Bean and
older versions, a flaw that potentially puts over 900 million users at
risk. The statement is essentially a follow-up to the Android security
team's earlier response that it is up to OEMs to address the issue, and
that the company has already addressed the issue with the release of
Android 4.4 KitKat and Android 5.0 Lollipop.
For those who are
unaware, WebView is a part of the Android OS that lets app developers
render webpages in apps without requiring a full browser. The component
was based on the Webkit engine, which was replaced by Google's Chromium
engine when Android 4.4 KitKat launched, resolving the reported
vulnerability in WebView and also enabling quick binary updates to the
component via OEM updates. Android 5.0 Lollipop then unbundled WebView
from the operating system, allowing it to be downloaded and updated
separately by users from Google Play - without requiring an OEM fix.
Adrian
Ludwig, from Google's Android security team, in a Google+ post on Friday says
Google issues bug fixes to the current version of Android on the
Android Open Source Project (AOSP) page, and directly provides patches
"Android partners with patches for at least the last two major versions
of the operating system."
Ludwig said that improving WebView and
browser security is one of the areas where the company has made the
"greatest progress", detailing the changes made with Android 4.4 KitKat
and Android 5.0 Lollipop. He added that it is no longer feasible to
update more than 2-year-old versions of WebView, which has more than 5
million lines of code and has seen hundreds of new 'commits' a month
from developers since then. Ludwig says it is up to the OEM to issue an
update for the issue, ideally by updating the devices running on OS
versions older than Android 4.3 Jelly Bean to Android 4.4 KitKat.
Users
of Android 4.3 Jelly Bean and older devices can stay safe and
unaffected by WebView bugs, Ludwig points out, by using browsers that
have their own rendering engine, like Firefox or Chrome. "Using an
updatable browser will protect you from currently known security issues,
and since it can be updated in the future it will also protect you
against any issues that might be found in the future," Ludwig added on
his Google+ post.
It is the apps that open the web pages in their
own inbuilt browser, which are vulnerable. Users can get rid of these
apps or disable the inbuilt browser option from inside the app. Ludwig,
for developers, added that they too can contribute in avoiding the
WebView bug by following Google's "security best practices" and by
making sure only trusted web pages with 'HTTPS' open in their
applications.
To add some context, Google's latest distribution
data of different versions of Android has revealed that Android 5.0
Lollipop, the latest publicly available version of Google's mobile and
tablet operating system, is powering less than 0.1 percent of Android
devices while Android KitKat has a total share of 39.1 percent. The
distribution data of different versions of Android also revealed that
Android Jelly Bean still powers the greater part of Android devices,
with a combined percentage of 46 percent.
Interestingly, Google a
company that says it will not be able to rollout a fix for the WebView
bug to the majority of Android users has been lately publishing the OS
security flaws of Microsoft and Apple, albeit after giving them 90-days
to provide bug fixes. According to the latest report, Google has
revealed two new flaws in Apple's OS X operating system. The search
giant recently also revealed a number of security holes in Microsoft's
Windows 7 and Windows 8.1 OS versions, despite Microsoft's request to
hold off for a few days until the patch was rolled out.
Android 16 Developer Preview 3 Reportedly Enables Screen-Off Fingerprint Unlock on All Pixel Phones24 March 2025
Search
![Gadgets 360 With Technical Guruji: Ask TG [ March 22, 2025]](https://c.ndtvimg.com/2024-12/5s52e4k_-ask-tg_640x480_14_December_24.jpg?downsize=180:*)
