Credit: Florence Ion via Computerworld
Google has stopped patching a core component of Android in versions older than v. 4.4, aka "KitKat," a security researcher said today, as he urged the company to reconsider the policy that could leave more than 60% of all Android users vulnerable to future attacks.
On Monday, Tod Beardsley, the engineering manager at security vendor Rapid7, claimed that Google's security team said they would not craft fixes for flaws in WebView for Android 4.3 and older. Android 4.3, the predecessor to KitKat, is better known as "Jelly Bean."
WebView is a core operating system component that powers the stock Android browser included with Jelly Bean -- Google replaced that browser with Chrome in KitKat -- and is called by apps that display a Web page in KitKat and earlier. (A much-changed WebView was spun out of the operating system as of Android 5.0, aka "Lollipop.")
"[WebView] is the way any app renders a Web page or Web-based content, like in-app ads," said Beardsley in an interview. "And WebView is the attack vector for Android. It's the way that Android devices talk to the Internet, and if I'm an attacker I'll exploit WebView by making a website and hope that people will click on it."
According to Beardsley, the Android security response team first responded to bug reports with a "we-don't-patch-WebView-anymore" reply in mid-October, after he submitted a vulnerability similar to one that Google processed and quickly patched just two weeks earlier.
"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration," the response team told Beardsley via email. "Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."
Google did not reply to a request for confirmation of that policy, or for comment about Beardsley's long blog post today. Beardsley called the practice "eyebrow-raising" and "shocking."
"Android has a huge installed base," he said, and pointed out that the versions for which WebView will not be patched by Google make up more than 60% of the installed base.
"I know it's a huge hassle to support things forever," said Beardsley. "Developers make that call every day. But most support Jelly Bean because they don't want to cut themselves out of a [large part] of the Android market."
He also criticized Google for not making clear what components in, say, Jelly Bean it did or didn't support. "They should tell people what is and what isn't supported," Beardsley added. "Today, there's nothing in the developer docs that mentions end of life."
Sign up for Computerworld eNewsletters.