Ludwig suggests a few things you can do to avoid or mitigate problems, though. For a start, he recommends surfing with browsers that don't use WebView but still get updates, like Chrome (which works on devices using Android 4.0) and Firefox (which runs on ancient Android 2.3 hardware). Hackers can't abuse the vulnerable software if you're not using it, after all. The Googler also tells app creators to either use their own web rendering tech or limit WebView to pages they can trust, like encrypted sites.

The advice should help if you're either a tech-savvy user or write apps. However, it still hints that quite a few people will remain at risk until those older releases of Android ride into the sunset. Many Android device owners aren't aware of alternatives to the stock Android browser, or can't easily get them (you have to jump through hoops to install Chrome if you can't use the Google Play Store, for instance). Also, there's no simple way to tell whether or not an app is using WebView. The chances of an attack are low if you're careful, but it could take a long, long while before the majority of Android gadgets are truly safe from WebView-related web exploits.