Earlier this month, we began hearing reports about Google not planning to issue a patch for a WebView bug in Android 4.3 and and earlier. Fast-forward to today and a Google employee has chimed in on the matter.
Adrian Ludwig, Google’s head of Android security, explains that while Google used to provide updates for the version of WebKit used by Webview in Android 4.3 and earlier. Because of WebKit’s size (it’s got more than 5 million lines of code) and all the different commits that are added every month, Ludwig says that applying patches to a version of WebKit that’s more than two years old requires major changes and isn’t practical to do safely.
So what can users do to protect themselves from this vulnerability? Well, an update to Android 4.4 or Android 5.0 would certainly fix the problem, but that’s not feasible for everyone since not every Jelly Bean device ever will be updated to KitKat or Lollipop. As I suggested previously, anyone that’s affected could also install a browser from Google Play that’s regularly updated, like Chrome or Firefox.
While some might be disappointed to learn that Google isn’t going to issue a fix for this WebKit bug itself, it’s understandable considering how much effort going back and patching the bug would require. Plus, Google would then have to get all of the device makers to actually push that update out to their users. It’s much easier for everyone affected to download a browser from Google Play that can be regularly updated and protect them past and future bugs.