What Android 5.0’s Auto-Updating WebView Means for Mobile Apps


For years, hybrid development has been plagued by the the slow, buggy, and difficult-to-debug Android WebView. Add to that the excruciatingly slow Android upgrade cycle, and you could have a very convincing reason to avoid hybrid development altogether.

But things change quickly in the mobile world. With Android 4.4 (October 2013), Google switched its WebView to use the Chromium rendering engine — a move that brought substantial speed improvements, numerous new APIs, and the ability to remote debug with the Chrome DevTools. Now, with Android 5.0, Android has introduced a game-changing new feature: updatable WebViews. Here’s how Google’s documentation puts it:

As new versions of Chromium become available, users can update from Google Play to ensure they get the latest enhancements and bug fixes for WebView, providing the latest web APIs and bug fixes for apps using WebView on Android 5.0 and higher.

Other sources confirm that the Android 5.0 WebView is a system-level .apk that can be updated without user intervention – a mechanism very much like Google Play Services — and a change that has massive implications on hybrid development.

Implication #1: Security

Even though Android KitKat switched to a Chromium-based WebView, the WebView itself was baked in to the Android OS. This means that each Android 4.4.x version has a specific version of Chromium its WebView uses, specifically Chromium 30 on Android 4.4.0–4.4.2 and Chromium 33 on Android 4.4.3–4.4.4.

From a security perspective this is troubling, because it means security vulnerabilities found in Chromium require an operating-system-level update to fix, which is particularly problematic in the Android world where OEMs aren’t exactly known for their swift upgrade cycles.

Several documented Android WebView vulnerabilities, including a particularly fun one that affected 70% of Android devices through QR codes, likely made auto-updating WebViews a priority for Google. By moving the WebView to a dedicated .apk, and by updating it in the background, Google now has a mechanism to address critical security vulnerabilities immediately, without needing the user’s (or the OEM’s) intervention.

Implication #2: New APIs and features are available immediately

While security updates are certainly important, they’re not the sort of thing most developers get excited about. What developers like are new features, and auto-updating WebViews promise to bring those features to developers faster. For instance, Android 5.0’s upgrade to Chromium 37 alone gives hybrid developers new access to WebRTC, WebAudio, WebGL, Web Components, and more.

Exactly how quickly these updates get pushed out is yet to be seen, and it will likely be difficult to keep up with Chrome’s fast development cycle. For example, Android 5.0’s WebView is already one Chromium version out of date. But regardless, it’s inevitable that the pace will increase from what it has been. For example when Chromium 33 shipped in Android 4.4.3 it was already 6-months old.

Although getting more frequent updates is something developers generally consider a positive, there’s also a flip side. Hybrid developers, who are used to testing their apps with the big yearly releases — Android 5.0, iOS 8, and so forth — will now have apps that behave more like websites, in that they can potentially update (and break) at any time. Since hybrid developers are web developers this won’t be a jarring change, but it does mean there’s a large group of Android developers that have to open their production apps more often.

Implication #3: The end of Android WebView fragmentation?

The final implication of auto-updating WebViews is probably the biggest one: a move to end WebView fragmentation. It’s no secret that Android has been trying to rein in fragmentation over the last few years, and increasingly their tactic has been moving functionality to Google Play Services — a set of services that run on Android 2.3+ and, most importantly, update in the background without user intervention. This means that although only a small fraction of Android users are on the latest OS version, 93% of Android users have the latest Google Play Service APIs (as of June 2014). The Google Play Services shift has been important enough that many believe that Android fragmentation is no longer a problem.

Although fragmentation may be tapering for Android in general, fragmentation remains a huge issue in the Android browser world. Android’s open nature exposes the WebView component for OEMs to tinker with and insert their own implementations. And they have. The most notable culprit is Samsung, who is currently a shipping a browser Peter-Paul Koch calls “Samsung Chrome”, which is based on Chrome (Chromium 28 specifically), but has some weird experimental flags set. For example Samsung Chrome allows you to use scoped styles, which has never shipped in a stable release of Google Chrome.

Moving the WebView to a Google Play Services-like app is another move against Android fragmentation, as the WebView is now deeply ingrained into the OS itself. Because Android is open, OEMs can still theoretically sidestep the default WebView, but the difficulty of doing so just got a lot harder; time will tell whether Android vendors will try and/or succeed. Regardless, auto-updating WebViews will unquestionably reduce fragmentation in the Android browser world, giving hybrid developers more confidence that their code will run the same across Android installs.

One big caveat

Before you get too excited, all of this good news about auto-updating WebViews has one huge caveat. Unlike Google Play Services, which runs on Android 2.3+, auto-updating WebViews are only available on Android 5.0 and up, which means it’s going to take a really long time before the benefits spelled out in this article get distributed to a significant number of users. To give a rough sense of the Android upgrade cadence, today (November 2014), a mere 24.5% of Android users have upgraded to the one-year-old Android 4.4 release.

Visualization of Android's market share

How long it will take users to get to 5.0 will be measured in years and not months, but don’t get too depressed. Auto-updating WebViews are an important step for the future of hybrid development. Even though it will take years, eventually, worrying about old Android versions should become a thing of the past. Once users reach 5.0, hybrid developers shouldn’t have to care about whether their users are on Android 5.0, 6.0, or 8.7 — and that’s something worth celebrating. If you’ve tried hybrid development, but got burned by the slow Android WebView, it may be time to give hybrid another chance. The future is looking better all the time.