There's a big difference between an app that 'uses a WebView' to render specific pieces of content or clicked links, and an app that is basically a thin wrapper around a WebView. Can you clarify whether your ~85% number is referring to the former or the latter?
We were looking for instances of insecure WebView usage, so from a security perspective small piece vs. entire app doesn't matter too much (and is difficult to measure, especially when looking at 1.1M apps).
However, some of the other numbers from our analysis can be useful to draw a picture of WebView usage.
We statically looked for uses of WebView, and 85% of the 1.1M apps used a WebView.
Of those 998,286 apps:
- 97% enable JavaScript (which is off by default)
- 36% use the JavaScript Bridge Interface (which is a fairly good indicator of heavy WebView usage)
- 94% implement a shouldOverrideUrlLoading method of the WebView (another good indicator that the developer is using the WebView for something non-trivial)
- 27% implement an onReceivedSslError method of the WebView (indication that the developer is using the WebView for something non-trivial). (Sadly, 29% of the apps that implement onReceivedSslError intentionally IGNORE all SSL errors.)
So I guess the takeaway is that 85% is an upper bound, the real number of WebView-only apps is absolutely lower, however it's clear that WebViews are significantly used in mobile apps.
In our study we didn't differentiate (from a security perspective, if you are vulnerable because you use a WebView when showing ads, then you are still vulnerable), so I don't have data for that.
It would be interesting data, although determining WebView for ads statically might be tricky.