2 min read

Google endangers 900 million Android smartphones, by refusing to patch WebView

Graham CLULEY

January 14, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Google endangers 900 million Android smartphones, by refusing to patch WebView

Do you have an Android smartphone or tablet? Have you checked what version of the Android OS you are running?

Because if you are running Android 4.3 (aka Jellybean) or earlier I’m afraid there’s some bad news: you’re not going to be receiving any security updates from Google for WebView, a core component of the Android operating system used to render webpages.

In case you didn’t know, WebView is the tool within Android which allows apps to display webpages without you having to open a separate browser. And if WebView’s security holes aren’t patched and you happen to visit a poisoned webpage, your Android device could be hit by a drive-by download attack.

So, does it matter that Google isn’t patching WebView on older versions of Android?

I think so. Take a look at this graph, where Google’s own statistics show that the majority of Android devices (60% or so) are vulnerable because they are running pre-KitKat versions of Android.

android-split

In Android 4.4 (KitKat), Google switched to a Chromium-based version of WebView – which continues to be maintained.

Tod Beardsley, an engineering manager at Rapid7, broke the news of Google’s bizarre decision to no longer update WebView on Android 4.3 or earlier.

After informing Google’s security team about a newly-found vulnerability in versions of WebView prior to Android 4.4, Beardsley was told:

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Obviously, it’s not trivial to continue to support and update devices running legacy versions of an operating system. But with more than 900 million devices at risk, and Android smartphones and tablets continuing to be sold which have the older OS, this decision by Google is going to leave many in the lurch.

After all, if security is really important to you, the only options are to write a patch the vulnerability yourself (which Google apparently will be happy to receive), upgrade to a new smartphone or switch to a platform like iOS.

It’s a deeply troubling situation, and one that Beardsley hopes Google will reconsider:

“Google’s engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning…. I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”

Personally I find it ironic that Google has just criticised Microsoft for not issuing a security patch as quickly as it would have liked, when Google itself has silently dropped any future plans to *ever* provide WebView patches for the over 900 million Android devices out there.

Google, get your house in order. Stop throwing stones in glass houses, and show that you care about the security of those who have bought (and in some cases are *still* buying) devices running Android 4.3 or earlier.

tags


Author



Right now

Top posts

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read
What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer?

What Is a VPN, How Does It Protect Me, and What Cool Perks Does it Offer?

September 23, 2021

2 min read
Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Tesla reverses "Full self-driving" beta update after sudden braking reports Tesla reverses "Full self-driving" beta update after sudden braking reports
Graham CLULEY

October 27, 2021

2 min read
Ukrainian Police Arrest Underground Darknet Group Laundering Cryptocurrency for Hackers Ukrainian Police Arrest Underground Darknet Group Laundering Cryptocurrency for Hackers
Silviu STAHIE

October 26, 2021

1 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
Filip TRUȚĂ

October 26, 2021

3 min read