So it seems the Google corporate motto/slogan “Don’t be evil” is falling down again, Google is adopting a very Microsoft-esque approach and orphaning users of older version of Android (basically anything before the current production version 4.4 AKA Kit Kat).
Which is the majority of Android users right now, especially those using lower end devices are unlikely to get 4.4 updates and even less likely to get the upcoming Android 5.x version which is coming to most providers early this year.
WebView vulnerabilities aren’t unheard of, and they only effect Android 4.3 (Jelly Bean) and below – because the newer version uses a much newer Chromium version of WebView – which is not susceptible to the current crop of exploits.
Over the past year, independent researcher Rafay Baloch (of “Rafay’s Hacking Articles”) and Rapid7’s Joe Vennix have been knocking out Android WebView exploits somewhat routinely, based both on published research and original findings. Today, Metasploit ships with 11 such exploits, thanks to Rafay, Joe, and the rest of the open source security community. Generally speaking, these exploits affect “only” Android 4.3 and prior — either native Android 4.3, or apps built with 4.3 WebView compatibility.
WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.
Despite this change, though, it’s likely there will be no slow-down of these Android security bugs, and they will probably last a long time due to a new and under-reported policy from Google’s Android security team: Google will no longer be providing security patches for vulnerabilities reported to affect only versions of Android’s native WebView prior to 4.4. In other words, Google is now only supporting the current named version of Android (Lollipop, or 5.0) and the prior named version (KitKat, or 4.4). Jelly Bean (versions 4.0 through 4.3) and earlier will no longer see security patches for WebView from Google, according to incident handlers at security@android.com.
Up until recently, when there’s a newly discovered vulnerability with Android 4.3, the folks at Google were pretty quick with a fix. After all, most people were on the “Jelly Bean” version of Android until December of 2013. Jelly Bean’s final release was just over a year ago in October of 2013. This is why this universal cross-site scripting bug was fixed, as seen in the Android changelog and Rafay’s blog, Rafay Hacking Articles.
The sad part is Google seems to acknowledge this situation and isn’t really willing to do anything about it, basically it seems like Android 4.3 has reached EOL (End of Life) and is being orphaned, Google will not be providing patches any more – even for critical security issues like this.
Perhaps it’s a forking issue and the fact the core of WebView is different now, because other components of Android 4.3 will be receiving back-ported patches.
However, after receiving a report of a new vulnerability in pre-4.4 WebView, the incident handlers at security@android.com responded with this:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
So, Google is no longer going to be providing patches for 4.3. This is some eyebrow-raising news.
I’ve never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google’s position. This change in security policy seemed so bizarre, in fact, that I couldn’t believe that it was actually official Google policy. So, I followed up and asked for confirmation on what was told to the vulnerability reporter. In response, I got a nearly identical statement from security@android.com:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.
When asked for further clarification, the Android security team did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches.
Knowing Google, I don’t foresee them changing their stance on this – they might because of community/media pressue – but honestly I find that unlikely.
Either way, we shall keep an eye out – because if they don’t patch these kind of issues we could be looking at some large-scale Android worm/malware infections popping up on the back of this.
Source: Rapid7
It’s silly (and says something about bias) to put the blame squarely on Google. What about OEMs not updating their devices? The solution going forward is to create modular pieces that can be updated via Play (KitKat+) which Google is doing.
For a more balanced perspective: http://www.androidcentral.com/android-webview-security
That’s always been an issue with Android though, the fragmentation of devices and the difficulty of OEMs to move their devices to fundamentally different versions of Android than they were originally designed for.
Idealism vs reality – should all devices be on 4.4 and above? Yes of course. Are they going to be? No. So what do we do? Abandon them? It’s a LOT easier for OEMs to push out a patched 4.3 with minor testing than to invest millions in making sure every component of their devices work with 4.4.x.
I’m scratching my head on this one.
Sometimes vendors don’t provide patches for very old versions in order to encourage customers to finally upgrade their OS (for example, Microsoft stopping to provide WinXP patches).
But in this case, firstly Android Jelly Bean isn’t that old. It’s not like customers have been holding on to the same phone for 10 years. Secondly, from what I’ve read it’s not easy to upgrade one’s Android version – you need your cellular network provider to make a custom version available for your phone.
I think that if there’s a large enough outcry, then Google will reconsider.
Yah, it’s not a 5 year old version that’s being left behind. It should be patched IMHO.
There are a very few Android Lollipop users in contrast to Jelly Bean and if Google has left them vulnerable, then it is very obvious that these users will switch to some other OS.