2 min read

Google endangers 900 million Android smartphones, by refusing to patch WebView

Graham CLULEY

January 14, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Google endangers 900 million Android smartphones, by refusing to patch WebView

Do you have an Android smartphone or tablet? Have you checked what version of the Android OS you are running?

Because if you are running Android 4.3 (aka Jellybean) or earlier I’m afraid there’s some bad news: you’re not going to be receiving any security updates from Google for WebView, a core component of the Android operating system used to render webpages.

In case you didn’t know, WebView is the tool within Android which allows apps to display webpages without you having to open a separate browser. And if WebView’s security holes aren’t patched and you happen to visit a poisoned webpage, your Android device could be hit by a drive-by download attack.

So, does it matter that Google isn’t patching WebView on older versions of Android?

I think so. Take a look at this graph, where Google’s own statistics show that the majority of Android devices (60% or so) are vulnerable because they are running pre-KitKat versions of Android.

android-split

In Android 4.4 (KitKat), Google switched to a Chromium-based version of WebView – which continues to be maintained.

Tod Beardsley, an engineering manager at Rapid7, broke the news of Google’s bizarre decision to no longer update WebView on Android 4.3 or earlier.

After informing Google’s security team about a newly-found vulnerability in versions of WebView prior to Android 4.4, Beardsley was told:

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Obviously, it’s not trivial to continue to support and update devices running legacy versions of an operating system. But with more than 900 million devices at risk, and Android smartphones and tablets continuing to be sold which have the older OS, this decision by Google is going to leave many in the lurch.

After all, if security is really important to you, the only options are to write a patch the vulnerability yourself (which Google apparently will be happy to receive), upgrade to a new smartphone or switch to a platform like iOS.

It’s a deeply troubling situation, and one that Beardsley hopes Google will reconsider:

“Google’s engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning…. I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”

Personally I find it ironic that Google has just criticised Microsoft for not issuing a security patch as quickly as it would have liked, when Google itself has silently dropped any future plans to *ever* provide WebView patches for the over 900 million Android devices out there.

Google, get your house in order. Stop throwing stones in glass houses, and show that you care about the security of those who have bought (and in some cases are *still* buying) devices running Android 4.3 or earlier.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read