Industry News

Google endangers 900 million Android smartphones, by refusing to patch WebView

Do you have an Android smartphone or tablet? Have you checked what version of the Android OS you are running?

Because if you are running Android 4.3 (aka Jellybean) or earlier I’m afraid there’s some bad news: you’re not going to be receiving any security updates from Google for WebView, a core component of the Android operating system used to render webpages.

In case you didn’t know, WebView is the tool within Android which allows apps to display webpages without you having to open a separate browser. And if WebView’s security holes aren’t patched and you happen to visit a poisoned webpage, your Android device could be hit by a drive-by download attack.

So, does it matter that Google isn’t patching WebView on older versions of Android?

I think so. Take a look at this graph, where Google’s own statistics show that the majority of Android devices (60% or so) are vulnerable because they are running pre-KitKat versions of Android.

android-split

In Android 4.4 (KitKat), Google switched to a Chromium-based version of WebView – which continues to be maintained.

Tod Beardsley, an engineering manager at Rapid7, broke the news of Google’s bizarre decision to no longer update WebView on Android 4.3 or earlier.

After informing Google’s security team about a newly-found vulnerability in versions of WebView prior to Android 4.4, Beardsley was told:

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Obviously, it’s not trivial to continue to support and update devices running legacy versions of an operating system. But with more than 900 million devices at risk, and Android smartphones and tablets continuing to be sold which have the older OS, this decision by Google is going to leave many in the lurch.

After all, if security is really important to you, the only options are to write a patch the vulnerability yourself (which Google apparently will be happy to receive), upgrade to a new smartphone or switch to a platform like iOS.

It’s a deeply troubling situation, and one that Beardsley hopes Google will reconsider:

“Google’s engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning…. I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”

Personally I find it ironic that Google has just criticised Microsoft for not issuing a security patch as quickly as it would have liked, when Google itself has silently dropped any future plans to *ever* provide WebView patches for the over 900 million Android devices out there.

Google, get your house in order. Stop throwing stones in glass houses, and show that you care about the security of those who have bought (and in some cases are *still* buying) devices running Android 4.3 or earlier.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

7 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • How is this news? Google had never released system updates for previous versions of android. Why would WebView be any different?

  • I saw this and my immediate reaction was now this seems really bad. Then I thought, “well, if it is two releases ago then I can see how it might be acceptable; after all, open source projects on the bleeding edge do this”. What I didn’t know (and I did wonder about but was looking at all sides) is they are still selling the product: that is another issue entirely. It is one thing to not release updates to a product that is not only discouraged from use but also if you go to (example) download it, it isn’t even in plain sight – you have to go out of your way to download it and when you do you are warned of the risk and that you’ll have no support, no fixes, nothing (in very clear, very obvious language) – don’t use it but use the more recent versions. It is another entirely if they are still selling it. I’m not really surprised though: Google certainly has some odd ways of thinking about security and I fear odd is more like scary and outright dangerous. This goes for other things too: they have some scary ideas in general and they are obvlivious to the implications (or maybe they actually don’t care as long as it fits their agenda… you know, sort of like dictators past that caused much suffering). Another way to compare (speaking of Microsoft – and yes it is indeed ironic, what you point out) is if Microsoft were to still be seeling Windows 2000 (or more recent XP or…): “we won’t provide you updates but absolutely we’ll see it; if you’re willing to buy it, why not? We’ll profit and that’s all that matters!” (when in reality compromised devices is a risk to many more than the direct victim… as all system and network administrators can tell you (it is amazing just how much spam attempts we see…spam being only one of many things; all of it is a thorn in the side and a huge waste of network resources and system resources))

  • Hi,

    I think Google did put out a patch for jellybeen 4.1-4.3 after Beardsley published his exploit. But as everyone knows,the manufactures and Carriers will drag their feett,or never update these vulnerable devices. Furthermore, Beardsley uses another browser from playstore for a demonstration I watched on a video interview of him. There are all kinds of apps that are vulnerable to this webview vulnerability,namely thru ad banners. My question is “why did he not use the native browser for the demo?” Maybe you should ask Beardsley some pointed questions. There is more to this story than you have covered,as I hhave read extensively about it,and being on 4.1.1, wanted to know. In one of his articles about this,a comments contributor created a test called Androidleak.tk So I tried it,and if I read it correctly,I am not vulnerable as far as native browser,but could be thru other apps possibly.

  • Well Google’s mantra “Don’t be Evil” rings sort of hollow with the MS thing.

    I was a very happy Android user for a couple of years and got many of my friends onto it, but with each successive release breaking something or wrecking battery life I just got so fed up with it that now I don’t have a single Android device at all – I sold my last one – my Nexus 7 – the week before Christmas on Ebay and did what I said I’d NEVER do – I went to John Lewis(as they give a 2-year warranty) and bought an iPad Mini with retina display. It’s early days, but I’m quite happy with it (so far) despite its restrictions in comparison to Android, and it’s safer and much more straightforward to use than Android, and the battery life is incredible. VPN is also rock solid compared to Android

    I also have a new Windows 8.1 tablet arriving tomorrow.

    Bye bye Google and Android. You had your chance and blew it time after time…

  • I have a Galaxy Nexus (a.k.a. Google phone) and one of the draws when I purchased it was that I would get system updates. I’m now forced into replacing the phone since Google is only committed to updating devices for only18 months – that’s less 6 months less than the contract most people have with their carrier.