Recently, a vast number of stories started appearing in various publications, such as The Guardian, that Google was going to stop updating the WebView component of old versions of Android, up to Jellybean, and that this would make for a very large amount of users vulnerable to recently found exploits in previous versions of the WebView. For those that may be unaware, the WebView is a component that powers the web engine and rendering in Android – basically, every time that an app needs to show you a web page of some sort, it’s using the WebView component built into Android in order to do it. There indeed is a security issue with it, and it seems to affect every version of Android up to Jellybean. So, it’s a pretty big deal. But now that we know that there are issues with it, what can you do to protect your device, and is the situation as bad as it looks?
First of all, it might be important to understand exactly why Google won’t just solve this issue by updating the WebView to a more recent version. The fact is that, as we know, the Android update model is basically broken, since it relies on manufacturers and providers to handle the development, maintenance and distribution of Android updates, with a few exceptions, including Nexus and GPE devices. So basically, it’s not that Google won’t fix this issue – in fact, it has already been fixed for a long time (Android KitKat and up use a version of WebView that isn’t affected). It’s simply that it’s not up to them to make that fix reach your device, and a lot of manufacturers will not bother updating their old devices to take advantage of the fix.
The exploit itself is fairly serious, in that it can indeed be used for some pretty bad things and intercepting private and important information. So, what can you really do about it? Well, as we said, the issue only exists on versions of Android up to Jellybean. One potential fix for this is to find a way to get KitKat or Lollipop into your device in a way that doesn’t rely on your manufacturer. The Android community is fairly versed in customizing and upgrading their software, and if your device is fairly popular and still capable, chances are that someone has managed to make a version of KitKat or Lollipop for it. Of course, this method generally involves rooting and unlocking your bootloader, something we have covered before, but chances are that your device is already out of warranty anyway, so it may be worth a shot. Certain popular Android modifications such as CyanogenMod may even offer support for your particular device, which means that you’ll get stable and regular updates, and installing them is generally less complex than usual.
Now, if you don’t want to bother with that, or you can’t find a custom update for your device, there’s always another workaround that is fairly obvious: just use an alternative browser that uses their own WebView. This WebView issue affects the stock browser that ships with Android, so if you just install another browser that doesn’t rely on it and offers their own WebView component, then you will be unaffected by the issue. Popular alternative browsers for Android include Firefox and Dolphin. But in fact, even just using an updated version of the Chrome browser will work around the issue, since Chrome does use its own WebView as well. So, as long as you are using an alternative browser that is reasonably updated, you’ll enjoy safe browsing, safe from exploits, as long as you stop using and deactivate the stock browser.
However, another issue that this workaround will not fix is the fact that some apps actually either use or rely on WebView to work. Generally, whenever an apps needs the user to log in or authenticate somehow, they will sometimes open a webpage so that you can do it, but often times, they will simply use the WebView and open up the page right there on the app. And that, unfortunately, is affected by the same issue and there is no clear workaround that you can do to avoid it. The only solution is not to use those sort of apps altogether, which although unpractical, will certainly keep you safe. The good news is that, since the exploit is now known about, developers will start paying attention and may even remove the WebView dependency from their apps – in fact, Google recommends that developers use and implement their own WebView in the app in order to get around this, so chances are that any of the apps that may be affected by this issue, as long as they are still actively maintained, will be updated in order to do just that.
So, overall, there are quite a few things worth pointing out about this. Number one is that the issue has been widely overblown in the media, and placing the fault in Google is not completely accurate, even though it’s Android’s ridiculous update model that causes this situation to begin with. Number two is that the issue is able to be completely circumvented with a little work from the user, by manually installing an updated version of Android that is unaffected by the issue. Number three is that the user, even if they can’t install an update themselves, can generally avoid running into the security issue by simply changing their default app habits and replacing them with safer alternatives. It may also be worth pointing out that this specific vector of attack will not work in Lollipop or future versions of Android, because Google now updates the native WebView along with Chrome in current versions of Android – so, the WebView will always be using the latest and greatest version of the rendering engine, instead of being stuck with a version that is known to be broken and with no way to replace it. So please, keep safe, and avoid this issue altogether by following some of these tips.