Quick Links

The web browser in Android 4.3 and earlier has many big security problems, and Google won't be patching it anymore. If you use a device with Android 4.3 Jelly Bean or earlier, you need to take action.

This problem is fixed in Android 4.4 and 5.0, but more than 60 percent of Android devices are stuck on devices that won't receive any security fixes.

Why Google Isn't Patching Android 4.3's Browser Anymore

Related: Why Your Android Phone Isn't Getting Updates, and What to Do About It

Android operating system updates are a mess. Manufacturers put out a huge number of different phones and modify the code extensively. Google can't just update the operating system on your device -- they can only put out new code and hope the device's manufacturer and your cellular carrier do the hard work of getting it to you.

Traditionally, most Android components have been baked in at the operating system level. This includes the built-in web browser, named "Browser." Importantly, the Browser itself and the underlying rendering engine are built into the operating system. The browser engine is used in every Android app that uses an embedded web browser, known as a "WebView."

This built-in browser is based on an old version of WebKit, and a serious flaw was recently discovered in it and reported to Google. Google has no way of providing an update directly to Android users to fix this problem. It has to be fixed through an operating system update, which requires device manufacturers and carriers do the work.

Sadly, even when Google was releasing security update code for Android 4.3's browser, many device manufacturers may not have even been shipping the fixes to their users. The only saving grace is that many Android devices have shipped with Google Chrome, and users are safe while using Chrome on those devices -- but, again, not while using other apps with embedded web browsers.

Most Android Users Are Stranded, But Android 4.4 and Newer Are Fixed

Related: Not Getting Android OS Updates? Here's How Google Is Updating Your Device Anyway

Google has been working on making Android OS updates matter less, breaking more features out of the core operating system so they can be updated via Google Play. In Android 4.4, the built-in browser can be quickly updated by device manufacturers with a tiny patch. In Android 5.0, the browser is updated by Google directly through Google Play.

But more than 60 percent of devices are using Android 4.3 and lower, according to Google's own numbers. Google hasn't released a "patch" for Android 4.3, but -- if they did -- it'd be up to phone manufacturers and cellular carriers to roll it out. Really, Google sees updating devices to Android 4.4 as the fix, and device manufacturers should be working on that instead.

We don't mean to absolve Google here. Building the browser deep into the operating system so it can't be quickly updated to fix security holes was a terrible decision, and we can only be thankful they've now changed the way modern versions of Android work. Device manufacturers and cellular carriers deserve a lot of the blame for not updating devices promptly. If you have a phone bought on a two-year contract, they should at least update the device with security updates for the length of the contract!

How to Stay Safe on Android 4.3 and Previous Versions

But this isn't just an interesting debate between Google and security professionals online. The reality is that most Android users are using a vulnerable web browser, and you may be one of them. Here's what you can do to stay as safe as possible:

  • Install and Use a Different Web Browser: Don't use the built-in "Browser" app to browse the web. Instead, install a browser like Mozilla Firefox or Google Chrome from Google Play. Chrome only works on Android 4.0 and up, but Mozilla Firefox still works on Android 2.3 Gingerbread. These browsers include their own rendering engines, so they don't use the system's browser engine. They're also frequently updated via Google Play. You'll probably find these browsers faster than the built-in browser if you have an older device with older built-in browser code, anyway!
  • Avoid Browsing With Embedded Web Browsers: Just using a third-party browser won't fix everything, as you'll still be at risk if you use an embedded web browser in an app -- these use the system's "WebView," which is vulnerable. Avoid browsing with embedded browsers if you have a vulnerable version of Android. Stick to a dedicated browser app like Firefox or Chrome.

Google actually recommended Android apps developers bundle browser engines in their apps on Android 4.3 and earlier. That's the only way they can ensure their built-in browsers are safe and secure. This is a dirty hack around the rotting browser code in Android itself. It's a pretty crazy recommendation, but developers may actually want to consider this -- especially if security is particularly important to the app.


So how much of a risk is this, really? Well, we haven't heard of anyone exploiting it yet. But Google's clear signal that 60 percent of all current Android devices won't be receiving browser security patches has surely been welcome to attackers. We expect to see Android browser exploits make their way into various mass-market collections of exploits, as Google abandoning the browser used on most Android devices leaves a gaping hole that can be freely exploited without the risk that patches will fix the problems.

It's a bit like the security problems with still using Windows XP -- if Windows XP was still being used by the majority of users when it was abandoned. Yes, the Android ecosystem is a mess. It should be possible for Google to get browser security updates to their users, but it's not.