[adamdoupe]

Sure! The short version is that I don't know.

We were looking for instances of insecure WebView usage, so from a security perspective small piece vs. entire app doesn't matter too much (and is difficult to measure, especially when looking at 1.1M apps).

However, some of the other numbers from our analysis can be useful to draw a picture of WebView usage.

We statically looked for uses of WebView, and 85% of the 1.1M apps used a WebView.

Of those 998,286 apps:

- 97% enable JavaScript (which is off by default)

- 36% use the JavaScript Bridge Interface (which is a fairly good indicator of heavy WebView usage)

- 94% implement a shouldOverrideUrlLoading method of the WebView (another good indicator that the developer is using the WebView for something non-trivial)

- 27% implement an onReceivedSslError method of the WebView (indication that the developer is using the WebView for something non-trivial). (Sadly, 29% of the apps that implement onReceivedSslError intentionally IGNORE all SSL errors.)

So I guess the takeaway is that 85% is an upper bound, the real number of WebView-only apps is absolutely lower, however it's clear that WebViews are significantly used in mobile apps.

[ori_b]

As far as I'm aware, mobile doubleclick ads need a WebView with Javascript and shouldOverrideUrlLoading(). I'm not sure about others.

How do you account for apps that only use the WebView for showing ads with the various ad toolkits out there?

[adamdoupe]

In our study we didn't differentiate (from a security perspective, if you are vulnerable because you use a WebView when showing ads, then you are still vulnerable), so I don't have data for that.

It would be interesting data, although determining WebView for ads statically might be tricky.