Google will now only fix WebView vulnerabilities itself if they affect Android 4.4 KitKat or later
Up to 930 million Android devices could be at risk following a change in policy at Google’s security team which means any vulnerability that affects WebView – which renders web pages on an Android smartphone or tablet – will only be fixed if it affects version 4.4 KitKat or later.
Google has not made this policy public, and it was only discovered by independent researcher Rafay Baloch and Rapid7’s Joe Vennix, both of whom have discovered a number of WebView exploits.
Tod Beardsley, a researcher at security firm Rapid7, was told by Google that it would welcome patches created by the open source community but would not be creating any fixes itself. Other pre-KitKat functions like media players will still be updated, however.
Lack of support
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,” Google told Beardsley. “Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
According to Google’s latest figures, more than three fifths of Android devices run versions released prior to 4.4 KitKat, which accounts for just 39.1 percent of the market. Jelly Bean variants are present on 46.4 percent, with older versions making up 14.9 percent. Version 5.0 Lollipop is used by only 0.1 percent – less than 2.2 Froyo’s 0.4 percent
Beardsley has questioned the wisdom of the decision given these figures and the fact that there are numerous barriers preventing developers and manufacturers from creating and distributing updates.
“Google generally does not publish or provide public comment on Android vulnerabilities, even when reported under reasonable disclosure procedures,” he wrote in a blog. “Instead, Android developers and consumers rely on third party notifications to explain vulnerabilities and their impact, and are expected to watch the open source repositories to learn of a fix.
“As a software developer, I know that supporting old versions of my software is a huge hassle. I empathize with their decision to cut legacy software loose. However, a billion people don’t rely on old versions of my software to manage and safeguard the most personal details of their lives. In that light, I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”
The absence of support for such a large proportion of Android’s total user base is likely to be concerning for many, but other researchers have suggested that there are more serious threats to the platform.
“Despite the potential risk of exploits and drive-by attacks, the most likely method of attack where Android is concerned is still fake / rogue application installs – typically by sites asking the device owner to allow installs from “unknown sources,” said Chris Boyd, malware intelligence analyst at Malwarebytes.
“If they avoid sites offering up free versions of popular apps and games and always read the reviews on the Play store then most people will be as safe as they can be, given this new approach to updates. It is unusual to expect researchers who discover vulnerabilities to provide their own patch alongside it, hoping the Android team may include it at a later date – and it remains to be seen if this approach will be a success.”
Google had not responded to TechWeekEurope’s requests for comment at the time of publication.
Are you a Google expert? Take our quiz!