Nearly a billion of Android users – over half of the total number of worldwide users – are in danger of being targeted by cyber attackers exploiting vulnerabilities in WebView, as Google has decided not to provide security patches for the core component used in pre-KitKat (v4.4) versions of the mobile OS.
WebView is the component that displays web pages on an Android device without the user needing to open another app to do it. Android KitKat and later versions of the OS have been equipped with a newer, Chromium-based version of WebView, which will continue to be updated by Google.
Google’s decision not to update the pre-4.4 WebView component has been discovered by Rapid7 researchers when they flagged a new vulnerability affecting it to Google, and the company responded by saying that if the affected version is pre-4.4, they stopped developing patches for it themselves, but still welcome patches delivered with the report for consideration, which they then share with OEMs.
“Google’s reasoning for this policy shift is that they ‘no longer certify 3rd party devices that include the Android Browser,’ and ‘the best way to ensure that Android devices are secure is to update them to the latest version of Android.’ To put it another way, Google’s position is that Jelly Bean devices are too old to support – after all, they are two versions back from the current release, Lollipop,” explained Tod Beardsley, technical lead for Rapid7’s Metasploit Framework.
This, he notes, would be a reasonable decision, were it not for the fact that around 60 percent – over 930 million – of Android users still use Android versions older than KitKat, and most are likely unable to upgrade to a newer version.
“Any new bug discovered in ‘legacy’ Android is going to last as a mass-market exploit vector for a long, long time,” he pointed out. A huge number of users will, therefore, be left vulnerable if Google doesn’t reconsider its stance on this.
“It’s important to stress that Android is, in fact, open source. Therefore, it’s not impossible for downstream handset manufacturers, service providers, retailers, or even enthusiastic users to come up with their own patches. This does seem to happen today; a 4.3 vulnerability may affect, say, a Kyocera handset, but not a Samsung device with the “same” operating system,” he explained the problem.
“While this is one of the core promises of open source in general, and Android in particular, it’s impossible to say how often this downstream patching actually happens, how often it will happen, and how effective these non-Google-sourced patches will be against future ‘old’ vulnerabilities.”
The only good news in all of this is that Google will continue to back-port patches for other pre-KitKat Android components.