Got a phone with Android 4.3 or earlier? No WebView security patches for you!

60 percent of Android devices left vulnerable to security risk
January 14, 2015
Android Malware Looks Safe, Steals Your Photos and Messages
January 16, 2015

15 January 2015

It’s not unusual for a developer to quit updating software after a certain amount of time. After all, developers have a limited amount of resources, and as older software declines in use, it doesn’t make financial sense to keep patching code with a declining share of the market.

But you wouldn’t think a developer would quit patching older code when it’s on the vast majority of devices in use, right? In the case of Google and Android, you’d be wrong.

Todd Beardsley, writing at the Security Street forum hosted by the Rapid7 security analytics firm, says Google has declared it will no longer supply patches for the Web viewer found on versions of Android older than 4.4, also known as Kit Kat. If you’re on Android 4.3 Jelly Bean or earlier, you’re out of luck – and thus vulnerable to malware that targets vulnerabilities in WebView. (In version 4.4 or later, Chromium is the included and default Web viewer.)

Now, if the vast majority of Android users were packing devices that had Kit Kat or later, this wouldn’t be a big deal. But take a look at this chartfrom the official Android Developers site.

Screen Shot 2015-01-13 at 7.53.12 AM

Kit Kat is found on 39 percent of Android devices that accessed Google’s Play store for new or updated software. Note that Android 5.0 Lollipop, the latest release of Google’s mobile operating system, isn’t included. That’s because it’s currently on less than 1 percent of all devices.

So, nearly 60 percent of Android smartphones and tablets are running browsers that will no longer be patched for these security vulnerabilities by Google.

When Beardsley reached out to confirm this, Google said while it wasn’t going to be offering fixes, third parties are welcome to do so. And he was told that other components of older Android versions will get patches:

However, after receiving a report of a new vulnerability in pre-4.4 WebView, the incident handlers at [email protected] responded with this:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

So, Google is no longer going to be providing patches for 4.3. This is some eyebrow-raising news.

I’ve never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google’s position. This change in security policy seemed so bizarre, in fact, that I couldn’t believe that it was actually official Google policy. So, I followed up and asked for confirmation on what was told to the vulnerability reporter. In response, I got a nearly identical statement from[email protected]:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.

When asked for further clarification, the Android security team did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches.

One solution – short of buying brand-new hardware with the latest Android OS – is to upgrade your device to a newer version of Android. But given the way that OS updates work on the vast majority of Android devices, that’s not so easy.

On smartphones, carriers and hardware makers must issue updates after coordination and testing. In many cases, that never happens – Android owners are stuck with the versions that came with their phones, or must be technically savvy enough to install an unofficial update themselves.

And since 97 percent of mobile malware is on Android, this is troubling news indeed.

Source – http://blog.seattlepi.com/techblog/2015/01/13/got-a-phone-with-android-4-3-or-earlier-no-webview-security-patches-for-you/

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Request Demo