Google has decided to stop pushing out security updates for the WebView tool within Android to those on Android 4.3, better known as Jelly Bean, or below.
According to Rapid7, the core components of Android smartphones running OS 4.3 or previous will not receive any security updates in 2015, meaning two-thirds of users won’t receive cover from Google.
Rapid7 engineering manager Tod Beardsley said that WebView is to Android, just as Internet Explorer is usually the best vector for attackers who want to compromise Windows client desktops.
Beardsley said that WebView is the core component used to render web pages on an Android device, and was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.
“Despite this change, though, it’s likely there will be no slow-down of these Android security bugs, and they will probably last a long time due to a new and under-reported policy from Google’s Android security team,” he said. “In other words, Google is now only supporting the current named version of Android (Lollipop, or 5.0) and the prior named version (KitKat, or 4.4). Jelly Bean (versions 4.0 through 4.3) and earlier will no longer see security patches for WebView from Google, according to incident handlers at Android.”
Incident handlers at Android said that upon receiving a report of a new vulnerability in pre-4.4 WebView, “if the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
Beardsley called the change in security policy “bizarre”, and the incident handlers did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches.
As of January 5, 2015, the current release, Lollipop, is less than 0.1 per cent of the installed market, according to Google’s Android Developer Dashboard.
Beardsley urged Google to reconsider their decision. He said: “Google’s engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning.
“As a software developer, I know that supporting old versions of my software is a huge hassle. I empathise with their decision to cut legacy software loose. However, a billion people don’t rely on old versions of my software to manage and safeguard the most personal details of their lives. In that light, I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”
Chris Boyd, malware intelligence analyst at Malwarebytes, said: “Despite the potential risk of exploits and drive-by attacks, the most likely method of attack where Android is concerned is still fake/rogue application installs – typically by sites asking the device owner to allow installs from ‘unknown sources’.
“If they avoid sites offering up free versions of popular apps and games and always read the reviews on the Play store then most people will be as safe as they can be, given this new approach to updates. It is unusual to
expect researchers who discover vulnerabilities to provide their own patch alongside it, hoping the Android team may include it at a later date – and it remains to be seen if this approach will be a success.”
