Skip to content

January 24, 2015

Google explains why it’s not fixing web security in old Android phones

by John_A

Android Cupcake, Honeycomb, Ice Cream Sandwich and Jelly Bean statues

You might not be happy that Google isn’t fixing a web security flaw in your older Android phone, but the search giant now says that it has some good reasons for holding off. As the company’s Adrian Ludwig explains, it’s no longer viable to “safely” patch vulnerable, pre-Android 4.4 versions of WebView (a framework that lets apps show websites without a separate browser) to prevent remote attacks. The sheer amount of necessary code changes would create legions of problems, he claims, especially since developers are introducing “thousands” of tweaks to the open source software every month.

Ludwig suggests a few things you can do to avoid or mitigate problems, though. For a start, he recommends surfing with browsers that don’t use WebView but still get updates, like Chrome (which works on devices using Android 4.0) and Firefox (which runs on ancient Android 2.3 hardware). Hackers can’t abuse the vulnerable software if you’re not using it, after all. The Googler also tells app creators to either use their own web rendering tech or limit WebView to pages they can trust, like encrypted sites.

The advice should help if you’re either a tech-savvy user or write apps. However, it still hints that quite a few people will remain at risk until those older releases of Android ride into the sunset. Many Android device owners aren’t aware of alternatives to the stock Android browser, or can’t easily get them (you have to jump through hoops to install Chrome if you can’t use the Google Play Store, for instance). Also, there’s no simple way to tell whether or not an app is using WebView. The chances of an attack are low if you’re careful, but it could take a long, long while before the majority of Android gadgets are truly safe from WebView-related web exploits.

Filed under: Cellphones, Tablets, Internet, Mobile, Google

Comments

Via: Android Police, Wall Street Journal

Source: Adrian Ludwig (Google+)

Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: