Patching old Android browsers is too much effort, says Google

Patching the WebView extension used by over 60 percent of Android devices is too much effort, according to Google's head of Android security, Adrian Ludwig.

Ludwig moved to calm concerns about Google's decision to cut support for the WebView extension used in Android versions 4.3 Jelly Bean and below in a Google+ post, claiming that the practice is too costly and time consuming.

"Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier," he said.

"But WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month.

"[In] some instances applying vulnerability patches to a two-plus year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely."

News that Google had cut WebView support for early Android versions, which according to developer stats still run on over 930 million devices, broke on 12 January when security experts reported spotting the covert move.

Prior to Ludwig's public post Google had not responded to V3's request for comment on the cut.

The decision caused ripples in the security community, many researchers feeling that it was a step backward in Google's efforts to secure Android.

Ludwig moved to allay these concerns, claiming that it is only thanks to Google's efforts to improve Android security that it can continue to support the newer Kitkat and Lollipop versions.

"Android 4.4 (Kitkat) allows OEMs to quickly deliver binary updates of WebView provided by Google, and in Android 5.0 (Lollipop) Google delivers these updates directly via Google Play, so OEMs won't need to do anything," he said.

"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices."

The Android head recomended people using older versions to take a variety of pre-emptive defence measures.

These include using a browser that is automatically updated through Google Play, and using applications "that follow security best practices by only loading content from trusted sources into WebView".

Improving Android's security has been an ongoing goal of Google's. The firm released a wave of security updates for Android in the latest 5.0 Lollipop update.

Key additions included a Security Enhanced Linux mode, enhanced encryption powers and a custom Smart Lock service.