2 min read

Google endangers 900 million Android smartphones, by refusing to patch WebView

Graham CLULEY

January 14, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Google endangers 900 million Android smartphones, by refusing to patch WebView

Do you have an Android smartphone or tablet? Have you checked what version of the Android OS you are running?

Because if you are running Android 4.3 (aka Jellybean) or earlier I’m afraid there’s some bad news: you’re not going to be receiving any security updates from Google for WebView, a core component of the Android operating system used to render webpages.

In case you didn’t know, WebView is the tool within Android which allows apps to display webpages without you having to open a separate browser. And if WebView’s security holes aren’t patched and you happen to visit a poisoned webpage, your Android device could be hit by a drive-by download attack.

So, does it matter that Google isn’t patching WebView on older versions of Android?

I think so. Take a look at this graph, where Google’s own statistics show that the majority of Android devices (60% or so) are vulnerable because they are running pre-KitKat versions of Android.

android-split

In Android 4.4 (KitKat), Google switched to a Chromium-based version of WebView – which continues to be maintained.

Tod Beardsley, an engineering manager at Rapid7, broke the news of Google’s bizarre decision to no longer update WebView on Android 4.3 or earlier.

After informing Google’s security team about a newly-found vulnerability in versions of WebView prior to Android 4.4, Beardsley was told:

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Obviously, it’s not trivial to continue to support and update devices running legacy versions of an operating system. But with more than 900 million devices at risk, and Android smartphones and tablets continuing to be sold which have the older OS, this decision by Google is going to leave many in the lurch.

After all, if security is really important to you, the only options are to write a patch the vulnerability yourself (which Google apparently will be happy to receive), upgrade to a new smartphone or switch to a platform like iOS.

It’s a deeply troubling situation, and one that Beardsley hopes Google will reconsider:

“Google’s engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning…. I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”

Personally I find it ironic that Google has just criticised Microsoft for not issuing a security patch as quickly as it would have liked, when Google itself has silently dropped any future plans to *ever* provide WebView patches for the over 900 million Android devices out there.

Google, get your house in order. Stop throwing stones in glass houses, and show that you care about the security of those who have bought (and in some cases are *still* buying) devices running Android 4.3 or earlier.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Common Credentials Criminals Use in IoT Dictionary Attacks Revealed Common Credentials Criminals Use in IoT Dictionary Attacks Revealed
Silviu STAHIE

November 30, 2021

3 min read
Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown
Filip TRUȚĂ

November 29, 2021

2 min read
Social media firms will be forced to unmask online trolls, says Australia Social media firms will be forced to unmask online trolls, says Australia
Graham CLULEY

November 29, 2021

2 min read