Google Engineer Explains Company’s Decision Not to Patch Bug in Older Android Versions

Google has taken quite a bit of heat in recent weeks for its decision not to patch a vulnerability in the WebView component of Android in older versions, leaving hundreds of millions of users exposed to potential attacks. Now, a Google engineer is explaining the company’s reasoning, saying that patching older versions of the OS can be difficult and that users can run patched browsers, even on older versions of Android.

WebView is a component of Android that’s used to render Web pages in older versions of the OS. Google replaced WebView in versions of Android from 4.4 forward and the company has said that it no longer plans to patch vulnerabilities in WebView. That leaves it up to OEMs to provide their own patches, if they choose to do so.

“Yes, it’s certainly a big deal for affected users, but not directly Google’s fault or responsibility,” Jon Oberheide, CTO of Duo Security, said when the WebView controversy emerged. “Google maintains the AOSP code, where this vulnerability is patched, and it’s up the the OEMs to patch their respective devices and ensure the OTA updates are delivered by carriers.”

Adrian Ludwig, a security engineer on the Android project at Google, said in a post Friday that it’s not practical for the company to provide patches for older vulnerabilities.

“Improving WebView and browser security is one of the areas where we’ve made the greatest progress.  Android 4.4 (KitKat) allows OEMs to quickly deliver binary updates of WebView provided by Google, and in Android 5.0 (Lollipop), Google delivers these updates directly via Google Play, so OEMs won’t need to do anything.  Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier,” Ludwig said.

“But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely. With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.”

Ludwig recommended that Android users run a browser such as Firefox or Chrome that is updated through the Google Play store.

“Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future. It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers,” he said.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.