Google Advises Legacy Android Users to Replace WebView with Chrome or Firefox

14. March 2015 at 17:52

A large number of Android smartphone users may soon find themselves in something of a security cul de sac. Google has confirmed that they will no longer be supplying updates or software patches for so called ‘legacy’ versions of their Android operating system. The announcement comes on the heels of the release of Android KitKat 4.4 and Lollipop 5.0; the most recent iterations of Google’s flagship operating system. Unfortunately, with more than 60% of all Android users still running legacy versions of the software, that decision puts millions of people at a heightened security risk. An exploitable bug in older versions of Android (specifically anything prior to, and including, Jellybean 4.3) has the potential to leave millions of Android users vulnerable to hacking and other cybercrimes.

The WebView Vulnerability

Google’s decision to abandon regular updates for its legacy software could be seen as little more than an inconvenience, were it not for a security flaw found in the WebView application built into all early versions of the software giant’s flagship operating system. The WebView software is used by all versions of Android to render web pages on smartphones and tablets. It is, essentially, the device’s interface with the World Wide Web. Unfortunately, as revealed on, there is an inherent security flaw in all older versions of the WebView software that can be exploited by hackers to seed the user’s device with malware in order to capture their personal data. Newer versions of the Android operating system now use a Chromium based version of WebView that has eliminated the bug. However, that still leaves anyone using a legacy version of Android at loose ends and with no security update in sight.

Google Has Reasons

When the WebView bug was brought to light earlier this year, Google’s response was short and to the point. In the view of Google’s Android security team it was simply impractical to continue to develop security patches for older versions of WebView and the WebKit technology Android relies on to access the web. Adrian Ludwig, who works on the security team, addressed the issue in a recent blog post. He wrote, “WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two plus year old branch of the WebKit requires changes to significant portions of the code and was no longer practical to do safely.” He went on to say that the number of people affected by the security issues should quickly diminish as consumers “upgrade or get new devices”. Ludwig did, however, offer an interim solution for legacy Android users.

Firefox and Chrome to the Rescue

While the number of Android users running legacy iterations of the software may be shrinking (albeit slowly), that still leaves a large number of consumers relying on the compromised versions of WebKit and WebView to access the internet. While the Google support team remains firm that they will not be developing a software patch to address the security issue, they have offered a viable solution for anyone running legacy versions of the Android operating system. They advise users to bypass the vulnerable WebView app by downloading, and using, an alternative browser on their smartphone or tablet. Google recommends Chrome or Firefox for anyone still running a legacy Android operating system, as both browsers receive regular security updates through Google Play. The Chrome and Firefox apps are easy to install, so even the less tech savvy Android users should have no trouble making the switch.

Apparently, Google is hoping that legacy Android users will soon make the upgrade to a newer handset running the latest iteration of its flagship operating system. Cynics might say that that is one reason they have abandoned security updates for older versions of the software. Be that as it may, the Android security team has at least offered a workable solution for anyone running a potentially vulnerable version of their operating system. The solution may not be ideal, but it does help provide legacy Android users with a greater measure of security.