Google says that although there is a web security flaw in your older Android phone, it has some good reasons for holding off a security update. Sicne last week there have been numerous public discussion related to vulnerabilities in versions of Webkit - a framework that lets apps show websites without a separate browser) - with people asking questions about security of browsers and WebView on Android 4.3 (Jellybean) and earlier.
As the company's Adrian Ludwig explains, it's no longer viable to "safely" patch vulnerable, pre-Android 4.4 versions of WebView to prevent remote attacks. The amount of necessary code changes would create new problems, he claims, especially since developers are introducing "thousands" of tweaks to the open source software every month.
He also suggested steps users and developers can take to mitigate the risk of potential exploitation of WebKit vulnerabilities without updating to Lollipop.
"Using a browser that is updated through Google Play and using applications that follow security best practices by only loading content from trusted sources into WebView will help protect users," Ludwig says.
When browsing on any platform, users should make sure to use a browser that provides its own content renderer and is regularly updated. For instance on Android, Chrome or Firefox are both options since they are securely updated through Google Play often: Chrome is supported on Android 4.0 and greater, Firefox supports Android 2.3 and greater. Chrome has been the default browser for all Nexus and Google Play edition devices since 2012 and is pre-installed on many other popular devices (including Galaxy devices from Samsung, the G series from LG, the HTC One series, and the Motorola X and G).
Application developers should make sure that they are following all security best practices [http://goo.gl/b6a3ta]. In particular, to resolve this issue when using WebView [http://goo.gl/FKeouw], developers should confirm that only trusted content (e.g. loaded from a local source or over HTTPS) is displayed within WebViews in their application. For maximum security when rendering content from the open web, developers should consider providing their own renderer on Android 4.3 and earlier so that they can keep it up to date with the latest security patches.