According to Android security incident handlers, Google will no longer be providing security patches for vulnerabilities that affect versions of Android's native WebView prior to Android KitKat 4.41,2,3. Google replaced WebView, based on WebKit, with a more recent Chromium-based version of WebView in KitKat OS version. As a result of the change, Jelly Bean (versions 4.0 through 4.3) and earlier will no longer receive security patches for WebView from Google. All other pre-KitKat components will continue to receive back-ported patches.
If you are developing /deploying applications that are built using an HTML5 cross platform development tool such as RhoMobile or PhoneGap, which use WebView for rendering, the risks can be mitigated as developers should confirm that only trusted content (e.g. loaded from a local source or over HTTPS) is displayed within WebViews in their application. We also recommend that applications written with a cross platform framework are coded to a secure standard and do not expose methods, such as an address bar, that allow users to access arbitrary websites as the sites may contain malicious code6.
HTML5 applications regardless of deployment can still have the same vulnerabilities as web applications (SQL injection, cross-site scripting, weak encryption, business logic attacks, etc.). HTML techniques overall would not be an issue if the app is coded to a secure standard and there are a ton of best practices around that. In developing in an HTML5 environment one must consider all web application vulnerabilities as well as a number of other key threats.
Bottom line, the resolution to these vectors is to inspect and sanitize within the application – especially those that use Webview.
Zebra continuously monitors numerous vulnerability reporting sources ensuring continuous monitoring for all devices we produce. If and when a vulnerability is discovered in a pre-KitKat version of WebView, Zebra will review the scenarios to determine if an exploit is possible taking into account the variety of security controls our devices employ. If an exploit could result in negative consequences, Zebra will recommend remediation approaches and/or patch the affected components to remove the vulnerability.
Patches can be sourced, not only from Google, but other open source distributions. Zebra also can develop the patch using our own talented Zebra developers which was the case with the Heartbleed bug where Zebra produced a patch for our customers in advance of a patch being made generally available. Zebra develops on top of Android Open Source Platform, moving our architecture forward in the most ‘enterprise-focused’ light, with security at the forefront.
- Google stops providing patches for pre-KitKat WebView, abandons 930 million users
- Google No Longer Provides Patches for WebView Jelly Bean and Prior
- Google Under Fire For Quietly Killing Critical Android Security Updates For Nearly One Billion