Google Gives WebView the Cold Shoulder
Posted: Sat Jan 31, 2015 10:40 am
Google has decided not to fix vulnerabilities in WebView for Android 4.3 and older, sparking heated discussions among developers.
Those versions of WebView run on the WebKit browser. Fixing them "required changes to significant portions of the code and was no longer practical to do so safely," Adrian Ludwig, lead engineer for Android security, explained last week in a post.
Ludwig recommended steps users and developers can take to mitigate the potential exploitation of WebView vulnerabilities without updating to Lollipop, or Android 5.0.
The decision will leave 930 million users of Android devices in the lurch, Tod Bearsley warned earlier this month.
Let 'Em Eat Cake!
Users should employ a browser that has its own content renderer and is regularly updated, Ludwig suggested.
Chrome and Firefox are securely updated through Google Play, he pointed out. Firefox is supported on Android 2.3 and higher, while Chrome is supported on Android 4.0 and higher.
Developers should "confirm that only trusted content ... is displayed within WebViews in their application," he said.
Everybody's Going for Shiny New Stuff
"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices," Ludwig observed.
Android 4.4, aka "KitKat," introduced a new WebView component based on the Chromium open source project. It includes an updated version of the V8 JavaScript engine and support for modern Web standards not in the earlier version of WebView.
Figures from a seven-day period ending Jan. 5 posted on the Android Developers Dashboard indicate Jelly Bean had 46 percent of the market and KitKat 39 percent. Ice Cream Sandwich had 6.7 percent and Gingerbread 7.8 percent.
Still, "generally speaking, Google can't go back and support all the old versions," said Al Hilwa, a research program director at IDC.
Reactions to Ludwig's Ideas
"Telling app developers to just provide your renderer rather than you guys handling your own screw-ups? What a joke," wrote Jake Weisz in response to Ludwig's post. Stating the fix is expensive or difficult "is not an excuse because it's Google's responsibility."
Also, "as a developer of an app that renders content from the open Web, I feel like [the suggestion devs provide their own renderer] badly misrepresents and underestimates the work involved in such a task," Chris Lacy wrote. "Building and shipping a Web render is an absolutely massive task."
"This isn't the first time Google has done something to make developers' lives hard by not providing backward compatibility," he told TechNewsWorld.
However, most developers might not do anything to fix the problem, because the independents might not have the time to write their own WebView, he noted, while for corporate devs, most companies "do not provide adequate time to fix issues which might need them to rewrite the core framework being used in their app."
Those versions of WebView run on the WebKit browser. Fixing them "required changes to significant portions of the code and was no longer practical to do so safely," Adrian Ludwig, lead engineer for Android security, explained last week in a post.
Ludwig recommended steps users and developers can take to mitigate the potential exploitation of WebView vulnerabilities without updating to Lollipop, or Android 5.0.
The decision will leave 930 million users of Android devices in the lurch, Tod Bearsley warned earlier this month.
Let 'Em Eat Cake!
Users should employ a browser that has its own content renderer and is regularly updated, Ludwig suggested.
Chrome and Firefox are securely updated through Google Play, he pointed out. Firefox is supported on Android 2.3 and higher, while Chrome is supported on Android 4.0 and higher.
Developers should "confirm that only trusted content ... is displayed within WebViews in their application," he said.
Everybody's Going for Shiny New Stuff
"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices," Ludwig observed.
Android 4.4, aka "KitKat," introduced a new WebView component based on the Chromium open source project. It includes an updated version of the V8 JavaScript engine and support for modern Web standards not in the earlier version of WebView.
Figures from a seven-day period ending Jan. 5 posted on the Android Developers Dashboard indicate Jelly Bean had 46 percent of the market and KitKat 39 percent. Ice Cream Sandwich had 6.7 percent and Gingerbread 7.8 percent.
Still, "generally speaking, Google can't go back and support all the old versions," said Al Hilwa, a research program director at IDC.
Reactions to Ludwig's Ideas
"Telling app developers to just provide your renderer rather than you guys handling your own screw-ups? What a joke," wrote Jake Weisz in response to Ludwig's post. Stating the fix is expensive or difficult "is not an excuse because it's Google's responsibility."
Also, "as a developer of an app that renders content from the open Web, I feel like [the suggestion devs provide their own renderer] badly misrepresents and underestimates the work involved in such a task," Chris Lacy wrote. "Building and shipping a Web render is an absolutely massive task."
"This isn't the first time Google has done something to make developers' lives hard by not providing backward compatibility," he told TechNewsWorld.
However, most developers might not do anything to fix the problem, because the independents might not have the time to write their own WebView, he noted, while for corporate devs, most companies "do not provide adequate time to fix issues which might need them to rewrite the core framework being used in their app."