FYI, there's security hole with Android WebView for Android below KitKat that'll be never be fixed...
http://www.zdnet.com/article/google...s-for-pre-kitkat-webview-abandons-930m-users/
http://www.zdnet.com/article/google-why-we-wont-patch-pre-kitkat-android-webview/
And that vulnerability is fixed for KitKat, but I never got newer Android WebView update through Play Store, cause I remember getting Android WebView update through Play Store only after updating to Lollipop.
http://www.theregister.co.uk/2014/10/23/android_lollipop_webview_component_unwrapped_for_developers/
Of course going forward that'll improve, especially when the majority of Android devices has moved to at least Lollipop. But today, that's not the case just yet.
Admittedly you found a chink in my armor. Webview is an issue, however and I'm not trying to turn this into a straw man argument I feel this falls on the devs using webview (which I don't care for in Android or iOS btw). And realistically this isn't an issue although I admit it could be. Typical webview use is a from a trusted app to a trusted webpage in an otherwise featureless browser. I'd venture to say it wouldn't be hard to find a malicious webpage that could take advantage of a webview security hole however you'd have to intentionally go look for it.