Many users might not be satisfied with Google’s decision of not rectifying a web security issue on old Android phones caused by WebView. WebView is a framework that allows Android apps to display websites without opening a separate browser. Many developers use this framework in their applications to display web contents within app. There’s vulnerability that affects the WebView. But Google is not planning to fix this security flaw in old Android devices.
There is a strong reason behind why Google is not doing so. The company official Andrian Ludwig has stated that it wouldn’t be a feasible scenario to “safely” patch susceptible, pre-Android 4.4 versions of WebView to prevent remote attacks as the amount of changes which would be required for this change to happen would be enormous along with the numerous associated issues. This is because developers are making many tweaks to the open source software as every month passes by. Though he suggested some ways to eradicate this Web security issues.
Instead of using stock Android browser, using browsers that don’t make use of WebView and which get regular security and performance updates, like Chrome and Firefox may help to prevent WebView related exploits. But many Android users are not aware of these alternatives and use pre-installed stock browser. Again to use Google Chrome browser minimum Android version is required, Android 4.0. Though for Firefox the minimum requirement is Android 2.3, but many ‘not so tech-savvy’ users are not familiar with Firefox for Android (may be because of its limited exposer in PC world). Again many Android apps use WebView to display web contents and there isn’t any simple way to tell (unless you are a developer or well aware of it) whether an app is utilising Webview.
So until the older versions of Android get a homerun from Google, the users using old Android may remain open to WebView exploits. But the chances of getting hacked could be reduced with concious use and by adopting alternatives to stock Android browsers.
Source: Andrian Ludwig (Google+)