Connect with us

Hi, what are you looking for?



Google Says It’s Not Practical to Fix Flaws in Pre-KitKat Android

Researchers reported earlier this month that Google was no longer patching vulnerabilities affecting the WebView component in Android Jelly Bean (4.3) and prior. The search giant has motivated its decision by saying that it’s no longer practical to apply patches to old branches.

Researchers reported earlier this month that Google was no longer patching vulnerabilities affecting the WebView component in Android Jelly Bean (4.3) and prior. The search giant has motivated its decision by saying that it’s no longer practical to apply patches to old branches.

Over the past months, security experts identified several vulnerabilities in the WebView used by the Android Open Source Platform (AOSP) browser shipped by default with versions of Android older than KitKat (4.4). After reporting the issues to Google, researchers were informed that the company is no longer developing patches for older versions of WebView, but pointed out that those who report bugs can submit patches for consideration.

Some researchers believe the company should not neglect these versions of the operating system because, according to Google’s own statistics, approximately 60% of devices still run Android Jelly Bean, Ice Cream Sandwich, Gingerbread, and Froyo.

Android Vulnerabiliites“The news of Google not only abandoning security updates to its WebView in version 4.3 and below, but also the lack of transparency of doing so, is proof that device makers won’t be responsible for security indefinitely, letting the weight fall on corporate IT/Security departments in their stead,” Domingo Guerra, president and co-founder of Appthority, told SecurityWeek when the news broke. “With Android market share being #1 worldwide, it is hugely concerning, and surprising, that Google is leaving such a large install-base out in the wind.”

Last week, Adrian Ludwig, lead engineer for Android security at Google, explained the company’s decision and provided recommendations for both users and developers.

Ludwig has pointed out that Google has made great progress as far as WebView and browser security are concerned. Android KitKat is designed to allow device manufacturers (OEMs) to quickly deliver WebView binary updates from Google. Furthermore, with the latest version of Android, Lollipop (5.0), the updates are delivered directly through Google Play so that OEMs are no longer responsible for distributing patches.

“Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely,” Ludwig explained in a blog post. “With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.”

Some members of the industry highlighted that Google’s recent decision to stop providing patches for older versions of Android puts hundreds of millions of devices at risk. Others, however, believe this is actually a step in the right direction.

Advertisement. Scroll to continue reading.

“Lookout doesn’t have hard data to confirm or deny this hypothesis, but it is our belief that the majority of devices in the world are either on an upgrade path to 4.4 or later, or they are generally not receiving updates at all. Therefore, the likely exposure to this policy change will likely not be very large, as in the former case, you’re in the clear, and in the latter case, you would be vulnerable either way,” Jeremy Linden, security product manager at Lookout, told SecurityWeek

“We certainly believe the changes made by Google to allow upgrades to WebKit (as well as other components of the OS) outside of OEM/carrier pushes are very positive changes that reduce the impact of Android fragmentation for security issues,” Linden added.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.