Posted in: Android, Mobile software, Web Browsers

Google responds to Jelly Bean WebView security concerns

There have been recent concerns over the security issues in the rather outdated WebView mode in Android Jelly Bean. Due to its outdated nature, it is facing security issues, which would otherwise be a non-issue on newer versions of Android.

Google has responded to these concerns by basically saying they won’t be updating the WebView in Jelly Bean. But while that may not be what people have been expecting, Google does have a reasonable explanation for it.

Starting KitKat onwards, the WebView component, that is the browser that you see within apps that open links in their own built-in browser instead of sending you to your default browser, runs on the newer Chromium engine, which is the same as in the Google Chrome browser. However, Jelly Bean and older versions of Android use WebKit engine, which is pretty vast and being updated by hundreds of developers since it’s open source. Thus it is not easy or secure to update a part of that engine for Google.

Secondly, even if Google does release an update, it is entirely in the hands of the OEMs to deliver the update. For phones that are still running Jelly Bean when there have been two major updates of Android since, it’s unlikely that OEMs are going to release any updates for them, meaning the security update may never reach the users.

For this, Google’s solution to users is to just set apps to open links in an external browser such as Chrome or Firefox, which are regularly updated, and for developers to only open secure content in older versions of Android. Not the most ideal solution, but it’s the only feasible one right now.

SourceVia

Comments

Rules for posting