Android

How to avoid the Android Jellybean Webview vulnerability

Android 4.3 and earlier suffers from a vulnerability Google doesn't plan on patching itself. Jack Wallen tells you what you can do to avoid possible exploits on your aging Android device.

Webview

The headline was pretty cruel: "Google abandons 93 million users."

Sounds horrible, right? Kind of Microsoftian, in a Windows XP kind of way. What does it mean exactly? It's simple — a vulnerability was discovered in the Webview tool that affects anyone using Android 4.3 or earlier. This vulnerability allows Webview to be exploited. When the vulnerability was reported in October, Google decided it would leave the patching of the 4.3 and earlier releases up to someone else. With that, the vast majority of people step back and think Google has decided to turn the cold shoulder to nearly 100 million users.

Before everyone starts crying that the sky is falling, let's take a look at issue from outside. First and foremost, Android 5.0 is about to release. Lollipop is about to usurp KitKat as the most recent flavor of the Android platform. That means Jellybean is old (in tech time, very). The same reason Microsoft could no longer continue to support Windows XP, Google cannot continue supporting older releases.

Google has to keep thinking forward, not backward. On top of that, nearly all Android devices sold today sport 4.4 or higher. Out of eight different Android phones, the only device I had that ran 4.3 was the Kyocera Hydra. Everything else ran 4.4 or higher. Even so, why wouldn't Google opt to fix this one problem — a problem that has the capability of becoming a nightmare for a mass of users with older platforms?

Well, first and foremost, the announcement doesn't mean Webview won't be patched. They do welcome patches from third-parties to be examined for use. This means someone could patch the vulnerability, submit the patch, and that patch be then rolled out to Android users. So, no one is truly being left behind. And my guess is that this Webview fiasco will soon be a thing of the past.

However, if you're concerned about the Webview issue and don't want to wait for a third-party's patch to be accepted, I have the solution — and it's really simple.

Before I tell you about this solution, you might want to know what Webview is.

There are plenty of apps that allow you to view web-based content without having to actually open a full-blown browser. That's Webview. It uses the Webkit rendering engine and makes viewing web content faster and more seamless.

Now that you know what it is, how do you avoid it (for now)? Simple — you install Google Chrome or Firefox and set them as your default browser. Once you've installed either of the apps, tap a link from within an email (or any other app) and, when prompted, select that new app as the default (select the browser and then tap Always, as shown in Figure A).

Figure A

Figure A

Setting Firefox as the default on a Verizon-branded Droid Turbo.

Now, Webview will not be used, and your device should be safe from any of those exploits.

Outside of that, your best bet is to make sure your phone is up to date. If your device is up to date and still running 4.3 or lower, you might want to consider upgrading your smartphone to enjoy some of the incredible new features found in the latest releases. In fact, you might want to simply install Firefox as your default browser and use that device until your carrier has devices running Lollipop.

Was this a bad move on Google's part? Maybe. But it's not like they have completely left users of Android Jellybean (and earlier) in the dark. A patch will come along to fix that issue in Webview, and when it does, I'm certain said patch will make it to the affected devices.

If you're using 4.3 or earlier, what are your plans for avoiding a Webview vulnerability? Let us know in the discussion thread below.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

Editor's Picks

Free Newsletters, In your Inbox