Researchers reported earlier this month that Google was no longer patching vulnerabilities affecting the WebView component in Android Jelly Bean (4.3) and prior. The search giant has motivated its decision by saying that it’s no longer practical to apply patches to old branches.
Over the past months, security experts identified several vulnerabilities in the WebView used by the Android Open Source Platform (AOSP) browser shipped by default with versions of Android older than KitKat (4.4). After reporting the issues to Google, researchers were informed that the company is no longer developing patches for older versions of WebView, but pointed out that those who report bugs can submit patches for consideration.
Some researchers believe the company should not neglect these versions of the operating system because, according to Google’s own statistics, approximately 60% of devices still run Android Jelly Bean, Ice Cream Sandwich, Gingerbread, and Froyo.
“The news of Google not only abandoning security updates to its WebView in version 4.3 and below, but also the lack of transparency of doing so, is proof that device makers won’t be responsible for security indefinitely, letting the weight fall on corporate IT/Security departments in their stead,” Domingo Guerra, president and co-founder of Appthority, told SecurityWeek when the news broke. “With Android market share being #1 worldwide, it is hugely concerning, and surprising, that Google is leaving such a large install-base out in the wind.”
Last week, Adrian Ludwig, lead engineer for Android security at Google, explained the company’s decision and provided recommendations for both users and developers.
Ludwig has pointed out that Google has made great progress as far as WebView and browser security are concerned. Android KitKat is designed to allow device manufacturers (OEMs) to quickly deliver WebView binary updates from Google. Furthermore, with the latest version of Android, Lollipop (5.0), the updates are delivered directly through Google Play so that OEMs are no longer responsible for distributing patches.
“Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely,” Ludwig explained in a blog post. “With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.”
Some members of the industry highlighted that Google’s recent decision to stop providing patches for older versions of Android puts hundreds of millions of devices at risk. Others, however, believe this is actually a step in the right direction.
“Lookout doesn’t have hard data to confirm or deny this hypothesis, but it is our belief that the majority of devices in the world are either on an upgrade path to 4.4 or later, or they are generally not receiving updates at all. Therefore, the likely exposure to this policy change will likely not be very large, as in the former case, you’re in the clear, and in the latter case, you would be vulnerable either way,” Jeremy Linden, security product manager at Lookout, told SecurityWeek.
“We certainly believe the changes made by Google to allow upgrades to WebKit (as well as other components of the OS) outside of OEM/carrier pushes are very positive changes that reduce the impact of Android fragmentation for security issues,” Linden added.
