Google can't 'safely' patch WebView

Google has stopped patching exploits in a core component of older versions of its Android mobile operating system because it can't be done safely, a company Android security expert has said.

Earlier this month security researchers from infosec vendor Rapid7 revealed Google would no longer provide fixes for WebView, a core OS component in Android that is used to render web pages in the Jelly Bean version (Android 4.3) and older.

WebView was replaced by the Chrome browser in the newer KitKat (4.4) and Lollipop (5.0) versions.

The move potentially leaves millions of Android users open to attack -  the versions of the operating system Google will no longer patch represent about 60 percent of the Android ecosystem.

The latest version - Lollipop (Android 5.0) - which Google will continue to provide patches for represents less than 0.1 percent of the installed market, according to Google's own statistics.

The company declined to comment at the time, but over the weekend published a blog post explaining its new policy.

Google will now only implement or pass manufacturers patches for older versions of Android if the patch has been provided by a security researcher.

Google Android security team member Adrian Ludwig said the challenges involved in providing security patches for older versions of WebView meant it couldn't be done safely.

“WebKit [component of WebView] alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two plus year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely,” he wrote.

“With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.”

Ludwig advised the over 60 percent of users affected by Google's new policy to download and use updatable web browsers such as Google Chrome or Mozilla Firefox.

"Using a browser that is updated through Google Play and using applications that follow security best practices by only loading content from trusted sources into WebView will help protect users," he said.

"When browsing on any platform, you should make sure to use a browser that provides its own content renderer and is regularly updated. For instance on Android, Chrome or Firefox are both great options since they are securely updated through Google Play often: Chrome is supported on Android 4.0 and greater, Firefox supports Android 2.3 and greater.”