According to Google’s head of Android security, Adrian Ludwig, support for the WebView extension used in Android versions 4.3 Jelly Bean is too time consuming and costly.
Ludwig explained in a Google+ blog post that “WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.”
Mark Kraynak, CPO at Imperva commented that this statement was ironic in light of recent Apple Mac OS X security flaws revealed by Google. “It’s a bit ironic that Google would make the claim that patching is too hard when in the last week Google released major vulnerabilities in Apple and Microsoft products despite those vendors saying much the same thing about those vulnerabilities and asking for more time to patch, to which Google responded that 90 days is too long to let vulnerabilities lie.”
Kraynak also suggested that the underlying problem is that sometimes it is too hard to patch quickly and app security needs to incorporate external solutions for patching. “Beyond the squabbles of internet giants, it really proves the point that external solutions for attack protection and virtual patching, like Web Application Firewalls, can take the time pressure off the patching process and should be an integral component of application protection.”
Rob Miller, senior security consultant for MWR InfoSecurity explained that the real victims of this development are both the device manufacturers and app developers. “This means that huge workload has been shifted from Google to the device manufacturers. It is foreseeable that the manufacturers may choose to stop supporting older handsets, as the workload now required of them is simply unaffordable.”
“Many developers build their apps to rely at least in part on WebViews. With nearly a billion Android users’ devices now likely running WebViews known to be vulnerable, developers will need to make difficult choices as to whether they should include their own webkit libraries, risk having their users connect to their servers in an insecure manner or whether they should restrict access to around 60% of their user base. If an attacker could compromise the app’s servers, a single webkit exploit would compromise every outdated device that then connected to it.”
“Google has unburdened itself of difficult and expensive work, but it will be device manufacturers and Android app developers that will need to pick it up if they want their users to remain safe online.”
Ludwig suggests using another browser to escape Android WebView hacks. “Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future. It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers.”
