Hackers may have a perpetual shooting gallery of unpatched Android vulnerabilities at their disposal after it was disclosed today that Google no longer will provide WebView patches for older versions of its operating system.
Researchers at Rapid7 have made mincemeat of WebView in Android Jelly Bean, versions 4.0-4.3, and earlier. WebView is the component used to render webpages on Android devices. The Metasploit Framework, which is owned by Rapid7, contains 11 WebView exploits, most of them courtesy of researchers Rafay Baloch and Joe Vennix.
WebView, however, has been replaced in Android starting with version 4.4, known as KitKat. The new component comes from the Chromium code base and is the same as the one used in the Chrome browser. Google told Rapid7 researchers recently upon receipt of another pre-4.4 bug report that it would no longer patch WebView vulnerabilities and would support only KitKat and the latest version of Android, Lollipop.
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,” said Google’s response to the bug submission according to Tod Beardsley, senior manager of engineering at Rapid7. “Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
Putting the onus on OEMs may be in line with Google’s business model of supporting only current versions of its OS—Google provides patches for its Nexus devices and work with OEMs identifying vulnerabilities in older versions of Android—but it’s hardly a comfort for Android device owners.
“Yes, it’s certainly a big deal for affected users, but not directly Google’s fault or responsibility,” said Jon Oberheide, CTO of Duo Security. “Google maintains the AOSP code, where this vulnerability is patched, and it’s up the the OEMs to patch their respective devices and ensure the OTA updates are delivered by carriers.
Relying on carriers to deliver updates, however, has been a fool’s errand. Very few follow through with updates despite the best efforts of the federal government to crack down on major carriers and handset makers for their lack of cooperation.
“Unfortunately, as we’ve seen in the past (eg. from our X-Ray project), OEMs and carriers are quite terrible at timely patching of security vulnerabilities so these will likely go unpatched for some time, if not indefinitely, leaving users exposed,” Oberheide said.
The U.S. Federal Trade Commission in 2013 hammered handset maker HTC for failing to address vulnerabilities in its Android mobile devices that exposed consumers to malware attacks, the loss of personal information and even physical harm in stalking cases. The two parties reached a costly settlement for HTC which was ordered to develop and release patches for its devices, establish a security program and submit to regular security assessments for 20 years.
Later that year, the American Civil Liberties Union (ACLU) filed a complaint with the FTC calling out Verizon, AT&T, Sprint-Nextel and TMobile for their reluctance in patching Android vulnerabilities. The complaint asked the FTC to force carriers to warn users about unpatched vulnerabilities and give customers the option to leave their carrier contracts behind in such cases, without penalties.
Beardsley said Google told Rapid7 that it no longer certifies third-party devices that include the Android browser and updating to the latest Android version is the best way to stay up to date on security.
“On its face, this seems like a reasonable decision. Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds; heck, many vendors drop support once the next version is released, and many others don’t have a clear End-Of-Life (EOL) policy at all,” Beardsley said.
However, according to the Android Developers Dashboard, 60 percent of Android users are on Jelly Bean 4.3 or older, an estimate of 930 million out of date Android devices, Beardsley said.
“The update chain for Android already requires the handset manufacturers and service carriers to sign off on updates that are originated from Google, and I cannot imagine this process will be improved once Google itself has opted out of the patching business,” Beardsley said. “After all, is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?”