Vulnerabilities found in WebView and possibly other components included in old versions of the Android operating system will no longer be patched by Google, researchers have learned.
WebView is a component that’s used to display Web pages on Android smartphones. Starting with Android 4.4 (KitKat), Google introduced a new WebView based on the Chromium open source project.
The problem is that researchers such as Rafay Baloch and Rapid7’s Joe Vennix have found, and they keep finding, numerous security vulnerabilities in the old WebView, which is used by the Android Open Source Platform (AOSP) browser shipped by default with pre-KitKat versions of the OS. The popular penetration testing tool Metasploit includes exploits for 11 such flaws.
However, it appears that Google has stopped patching any vulnerabilities affecting this older version of WebView, despite the fact that roughly 60% of devices still run Android Jelly Bean (4.1-4.3), Ice Cream Sandwich (4.0), Gingerbread (2.3), and Froyo (2.2). According to recent studies, roughly 930 million devices run a version of the OS that Google considers outdated.
Google’s security team informed researchers at Rapid7 that they no longer develop patches for WebView prior to version 4.4. Instead, those who report the vulnerabilities are welcome to submit patches “for consideration,” Google said.
If vulnerability reports are not accompanied by a patch, all Google can do is notify its partners of the bug’s existence. If a patch is made available, it will be forwarded to partners, the company told Rapid7.
Google hasn’t clarified if the same policy applies to other components included in Android versions prior to 4.4.
While the search giant hasn’t officially informed customers that the operating systems they’re using on their mobile devices have reached end-of-life (EOL), the company says it can “no longer certify 3rd party devices that include the Android Browser,” and “the best way to ensure that Android devices are secure is to update them to the latest version of Android.”
Rapid7’s Tod Beardsley has pointed out that this is great news for cybercriminals because many users simply can’t afford to purchase new phones to get the latest version of the operating system.
“Open source security researchers routinely publish vulnerability details and working exploits with the expectation that this kind of public discussion and disclosure can get both vendors and users to take notice of techniques employed by bad guys,” the researcher noted in a blog post. “By ‘burning’ these vulnerabilities, users come to expect that vendors will step up and provide reasonable defenses. Unfortunately, when the upstream vendor is unwilling to patch, even in the face of public disclosure, regular users remain permanently vulnerable.”
The process of patching Android vulnerabilities is complicated as it is: Google usually doesn’t inform users and developers when a flaw has been patched, and carriers and manufacturers are responsible for distributing the updates from Google to their customers.
If Google no longer develops patches for older versions of Android, it’s unlikely that smartphone manufacturers and mobile operators will distribute the patches developed by security researchers, Beardsley noted.
“I empathize with their decision to cut legacy software loose. However, a billion people don’t rely on old versions of my software to manage and safeguard the most personal details of their lives. In that light, I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge,” the expert said.
Steve Hultquist, chief evangelist at security analytics company RedSeal, has pointed out how such decisions can impact enterprises.
“Technology keeps moving forward on mobile devices, client computers, servers, and network infrastructure. As a result, the overall security of an organisation relies on the ongoing automated analysis of the current situation and processes and procedures to address the gaps that are uncovered daily,” Hultquist told SecurityWeek. ”As we can see with the distribution of Android releases, being aware of the distribution of systems, their existing security issues, and how they are accessible from threats are all critical aspects of the overall security operation of an enterprise.”
“Having a clear picture of the entire environment and all possible interconnections is a critical need for every organisation,” he added.