Up to 930 million Android devices could be at risk following a change in policy at Google’s security team which means any vulnerability that affects WebView – which renders web pages on an Android smartphone or tablet – will only be fixed if it affects version 4.4 KitKat or later.
Google has not made this policy public, and it was only discovered by independent researcher Rafay Baloch and Rapid7’s Joe Vennix, both of whom have discovered a number of WebView exploits.
Tod Beardsley, a researcher at security firm Rapid7, was told by Google that it would welcome patches created by the open source community but would not be creating any fixes itself. Other pre-KitKat functions like media players will still be updated, however.
According to Google’s latest figures, more than three fifths of Android devices run versions released prior to 4.4 KitKat, which accounts for just 39.1 percent of the market. Jelly Bean variants are present on 46.4 percent, with older versions making up 14.9 percent. Version 5.0 Lollipop is used by only 0.1 percent – less than 2.2 Froyo’s 0.4 percent
Beardsley has questioned the wisdom of the decision given these figures and the fact that there are numerous barriers preventing developers and manufacturers from creating and distributing updates.
“Google generally does not publish or provide public comment on Android vulnerabilities, even when reported under reasonable disclosure procedures,” he wrote in a blog. “Instead, Android developers and consumers rely on third party notifications to explain vulnerabilities and their impact, and are expected to watch the open source repositories to learn of a fix.
“As a software developer, I know that supporting old versions of my software is a huge hassle. I empathize with their decision to cut legacy software loose. However, a billion people don’t rely on old versions of my software to manage and safeguard the most personal details of their lives. In that light, I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”
The absence of support for such a large proportion of Android’s total user base is likely to be concerning for many, but other researchers have suggested that there are more serious threats to the platform.
“Despite the potential risk of exploits and drive-by attacks, the most likely method of attack where Android is concerned is still fake / rogue application installs – typically by sites asking the device owner to allow installs from “unknown sources,” said Chris Boyd, malware intelligence analyst at Malwarebytes.
“If they avoid sites offering up free versions of popular apps and games and always read the reviews on the Play store then most people will be as safe as they can be, given this new approach to updates. It is unusual to expect researchers who discover vulnerabilities to provide their own patch alongside it, hoping the Android team may include it at a later date – and it remains to be seen if this approach will be a success.”
Google had not responded to TechWeekEurope’s requests for comment at the time of publication.
Are you a Google expert? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…