Sta facendo discutere moltissimo in questi giorni, il post rilasciato dal capo della sicurezza di Android, Adrian Ludwig a proposito delle mancate patch per WebView, in riferimento a device che arrivano solo a Jelly Bean.
Questo quanto affermato dal diretto interessato:
“Improving WebView and browser security is one of the areas where we’ve made the greatest progress. Android 4.4 (KitKat) allows OEMs to quickly deliver binary updates of WebView provided by Google, and in Android 5.0 (Lollipop), Google delivers these updates directly via Google Play, so OEMs won’t need to do anything. Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely. With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices”.
Insomma, meglio non nutrire speranze se non disponete di un modello che sia quantomeno dotato di Android Kit Kat.
Poi un suggerimento agli sviluppatori:
“If you are an application developer, there are also steps you should take to keep users safe. Application developers should make sure that they are following all security best practices[http://goo.gl/b6a3ta]. In particular, to resolve this issue when using WebView[http://goo.gl/FKeouw], developers should confirm that only trusted content (e.g. loaded from a local source or over HTTPS) is displayed within WebViews in their application”.
Le reazioni degli utenti, per forza di cose, non sono state molto diplomatiche.