Saturday, May 28, 2022

930M Android devices vulnerable as Google stops WebView patches

An estimated 930 million devices will be left vulnerable to hack attacks as Google announced it will cease providing patches for pre-KitKat WebView bugs in Android.

WebView is a core component used for rendering Web pages on an Android device. The more recent Chromium-based version of WebView was introduced for Android version 4.4 (KitKat), but that still leave a large number of machines exposed.

Latest Android distribution figures from Google indicates that 46 per cent of Android devices still run on Jelly Bean, another 39.1 per cent use KitKat. Gingerbread runs on about 7.8 per cent of handsets, Ice Cream Sandwich, 6.7 per cent and Froyo about 0.4 per cent.

WebView is used in about 930 million Android devices, Tod Beardsley, security researcher for IT security and data analytics firm Rapid7 said in his blog post on Metasploit. Numerous flaws in the component have been discovered by researchers over the years.

“Unfortunately, this is great news for criminals for the simple reason that, for real bad guys, pretty much everything is in scope, “he said.

Beardsley followed up with Android and got this response:

“If the affected version (of WebView) is before 4.4, we generally do not develop patches ourselves but do notify partners of the issue…if patches are provided with the report or put into AOSP (Android Open Source Project) we are happy to provide them partners as well.”

“Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch,” the Android team said.

The Android team said other pre-KitKat components, such as multi-media players will continue to get back-ported patches.

Since Android is open source, Beardsley noted that “it is not impossible” for handset manufacturers, service providers retailers and even enthusiasts to come up with their own patches. However, he said it impossible to say how often such patches would become available.

The security researcher also said Google’s decision not to support an old OS like Jelly Bean “seems like a reasonable decision” but still it is a move that leaves millions or users vulnerable as the company’s own monthly stats show a huge install base for older Android OSs.

The data also implies that vulnerable users are those that might find it difficult to upgrade to a newer system because of budget constraints. The latest Google Nexus phone costs about US$660 while the first Android Phone sells for under $70 on Amazon

“As a software developer, I know that supporting old versions of my software is a huge hassle,” Beardsley said. “I empathize with their decision to cut legacy software loose. However a billion people don’t rely on old versions of my software to manage and safeguard the most personal details of their lives.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Nestor E. Arellano
Nestor E. Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.