Hackers may have a perpetual shooting gallery of unpatched Android vulnerabilities at their disposal after it was disclosed today that Google no longer will provide WebView patches for older versions of its operating system.

Researchers at Rapid7 have made mincemeat of WebView in Android Jelly Bean, versions 4.0-4.3, and earlier. WebView is the component used to render webpages on Android devices. The Metasploit Framework, which is owned by Rapid7, contains 11 WebView exploits, most of them courtesy of researchers Rafay Baloch and Joe Vennix.

WebView, however, has been replaced in Android starting with version 4.4, known as KitKat. The new component comes from the Chromium code base and is the same as the one used in the Chrome browser. Google told Rapid7 researchers recently upon receipt of another pre-4.4 bug report that it would no longer patch WebView vulnerabilities and would support only KitKat and the latest version of Android, Lollipop.

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,” said Google’s response to the bug submission according to Tod Beardsley, senior manager of engineering at Rapid7. “Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Putting the onus on OEMs may be in line with Google’s business model of supporting only current versions of its OS—Google provides patches for its Nexus devices and work with OEMs identifying vulnerabilities in older versions of Android—but it’s hardly a comfort for Android device owners.

“Yes, it’s certainly a big deal for affected users, but not directly Google’s fault or responsibility,” said Jon Oberheide, CTO of Duo Security. “Google maintains the AOSP code, where this vulnerability is patched, and it’s up the the OEMs to patch their respective devices and ensure the OTA updates are delivered by carriers.

Relying on carriers to deliver updates, however, has been a fool’s errand. Very few follow through with updates despite the best efforts of the federal government to crack down on major carriers and handset makers for their lack of cooperation.

“Unfortunately, as we’ve seen in the past (eg. from our X-Ray project), OEMs and carriers are quite terrible at timely patching of security vulnerabilities so these will likely go unpatched for some time, if not indefinitely, leaving users exposed,” Oberheide said.

The U.S. Federal Trade Commission in 2013 hammered handset maker HTC for failing to address vulnerabilities in its Android mobile devices that exposed consumers to malware attacks, the loss of personal information and even physical harm in stalking cases. The two parties reached a costly settlement for HTC which was ordered to develop and release patches for its devices, establish a security program and submit to regular security assessments for 20 years.

Later that year, the American Civil Liberties Union (ACLU) filed a complaint with the FTC calling out Verizon, AT&T, Sprint-Nextel and TMobile for their reluctance in patching Android vulnerabilities. The complaint asked the FTC to force carriers to warn users about unpatched vulnerabilities and give customers the option to leave their carrier contracts behind in such cases, without penalties.

Beardsley said Google told Rapid7 that it no longer certifies third-party devices that include the Android browser and updating to the latest Android version is the best way to stay up to date on security.

“On its face, this seems like a reasonable decision. Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds; heck, many vendors drop support once the next version is released, and many others don’t have a clear End-Of-Life (EOL) policy at all,” Beardsley said.

However, according to the Android Developers Dashboard, 60 percent of Android users are on Jelly Bean 4.3 or older, an estimate of 930 million out of date Android devices, Beardsley said.

“The update chain for Android already requires the handset manufacturers and service carriers to sign off on updates that are originated from Google, and I cannot imagine this process will be improved once Google itself has opted out of the patching business,” Beardsley said. “After all, is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?”

Categories: Hacks, Mobile Security, Vulnerabilities, Web Security

Comments (4)

  1. G
    1

    This is a rather interesting way that Google may be “helping” carriers and OEMs to “force” the latest Android onto devices and remove the rediculous process of adding swathes of crapware to devices.

    Especially as there is already precedence listed above where HTC and various carriers have been in hot water due to failure to protect device users. Perhaps OEMs and Carriers can find new, novel ways to differentiate themselves in the market than holding up new versions of Android to install bloatware.

  2. AndroidLeak
    2

    You can test your built-in Android Browser for known vulnerability at androidleak[dot]tk

    It seems that about 25 % of Android devices are vulnerable.

  3. David L
    4

    There is a patch for this and the dispicable Tod Beardsley is aware of it! There is a screenshot of an email from a Google engineer who developed it on the side. He is to busy trying to ruin the experience of millions of android users only so as to gain some attention. Here are the links to the patch. Please pass it along to other ETHICAL people who can help get the word out.

    https://android.googlesource.com/platform/external/webkit/+/1368e05e8875f00e8d2529fe6050d08b55ea4d87/Source/WebCore/page/DOMWindow.cpp

    And

    https://android.googlesource.com/platform/external/webkit/+/7e4405a7a12750ee27325f065b9825c25b40598c/Source/WebCore/page/DOMWindow.cpp

    There is more to this story. Google knew about the problems with Webview way back in 2012. I have researched this for some time now,and have lots of links to back it up. If anyone is interested,please get in touch. Google lied to Rafay Baloch when they told him they could not reproduce the vulnerability. When he published,they were forced to act. Even now,they are covering up,diverting attention. When they started to rebuild Chrome,and were still developing kitkat,they could have and should have fixed this. But that did not fit their plans. They knew they were throwing millions under the bus.

Comments are closed.