You might have noticed a number of recent stories (like this one) claiming Google was abandoning some huge portion of Android users rather than fixing WebView security holes. It's exactly the kind of thing that makes good clickbait. Google has now issued a statement on the security issues in Android 4.3 and earlier, basically pointing out it's not feasible to update old code forever and offering tips for avoiding potential exploits.

First a little background—WebView is a component of Android that lets developers render web pages in apps without implementing a full browser. It was based on Webkit until Google moved to Chromium in Android 4.4 KitKat, but the security holes only appear in the older version bundled with 4.3 Jelly Bean and earlier. Google's position is that it isn't practical to integrate security patches from a large open source project as Webkit (hundreds of developers, thousands of commits every month) with a branch that is now two years old (bundled with Jelly Bean).

Google previously stated that it would be happy to accept patches if they are submitted to AOSP, but it won't be developing them. I would add, even if Google patches Webkit for Jelly Bean, that doesn't mean any users would get updates. It's up to OEMs to send out updates, and anything that's still on Jelly Bean at this point is probably not supported with updates anymore. Basically, there was an update that fixed these problems—it was KitKat, and if your device maker didn't deliver the update, you can't really blame Google (okay, you can, but it won't get you anywhere). Lollipop further improved WebView by unbundling it from the system so it can be updated via Google Play.

Google isn't going to be patching the old Webkit branch in Jelly Bean, so what can you do? The statement points out that any browser with its own rendering engine, like Chrome and Firefox, is unaffected by WebView bugs. It's only apps that implement a WebView to load online content that are potentially vulnerable. Users can avoid these apps completely, disable the built-in browsers, or only run apps that use WebView to access specific content known to be safe. Developers are advised to provide their own renderer on Android 4.3 and earlier so it can be patched as needed.

[+Adrian Ludwig]