android-security

It hasn’t been long since there was a bit of uproar about Android security. In particular, concerns centred on the older version of WebView that forms a part of Android 4.3, which is no longer being actively maintained by Google.

WebView? WebView was a system component (it now is updatable separately from the OS) that allows 3rd party apps to display web content within their app without having to code an entirely separate web browser component. You might have seen WebView in a Twitter client (for example) operating as an internal browser.

First of all, why isn’t it updated? Well, before Lollipop, WebView was a system component, meaning that it couldn’t be updated without updating the system itself. In practical terms, this meant that unless an OEM released an updated Android system image for a given device, WebView could not be updated. Google’s position has been (and remains) that it isn’t practical to integrate security patches from the Webkit community — which has hundreds of developers and thousands of changes each month — with a software version that’s now two years old.

Further than that, even if Google were to accept a Webkit change and integrate it with the older WebView code, it wouldn’t achieve much; without an OS update that included these changes, older devices wouldn’t benefit from it anyway.

Google’s standpoint appears to be that there is an update to WebView and other issues that arise in the older Jelly Bean systems; that update was called KitKat. In other words, if your OEM hasn’t seen fit to roll-out a KitKat update to your phone, then it’s their fault that your WebView is out of date, not Google’s, and that’s probably fair. Better news is that KitKat’s WebView is more easily updated — Android 4.4 (KitKat) allows OEMs to quickly deliver binary updates of WebView provided by Google, and in Android 5.0 (Lollipop), Google delivers these updates directly via Google Play, so OEMs won’t need to do anything.

So what can you do about it if you’re on an older Jelly Bean device that can’t be updated? You’ll need to take a couple of precautions, but it’s not hard. If you’re truly worried, don’t use apps that have an embedded browser; use a browser that has its own rendering engine built in that’s more up to date, such as Chrome or FireFox. Google’s Android Security spokesperson Adrian Ludwig advises:

When browsing on any platform, you should make sure to use a browser that provides its own content renderer and is regularly updated. For instance on Android, Chrome [http://goo.gl/elSkZX] or Firefox [http://goo.gl/Q5X6e3] are both great options since they are securely updated through Google Play often: Chrome is supported on Android 4.0 and greater, Firefox supports Android 2.3 and greater. Chrome has been the default browser for all Nexus and Google Play edition devices since 2012 and is pre-installed on many other popular devices (including Galaxy devices from Samsung, the G series from LG, the HTC One series, and the Motorola X and G), so you may already be using it.

Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future. It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers.

As with all things, being careful online is the number one defence.

Source: +Adrian Ludwig.
    10 Comments
    newest
    oldest most voted
    Inline Feedbacks
    View all comments
    David L
    David L
    5 years ago

    Google knew about this well over a year ago! They ignored the issue to get far enough away to say it’s too late now. I think that a patch for jellybeen may actually be available,if I read correctly at Rafay Balock’s website. But I think they are more interested in pushing their exploits than informing the public. I hope some of the bloggers will look into this. I’m having trouble tracking it down. The website only has a picture,or screenshot of this supposed fix. I tried to google it,but am not that knowledgeable about these developer sites.

    JeniSkunk
    JeniSkunk
    5 years ago

    set sarcasm to 100
    REAL Nice of Google to kick users in the balls, who use slightly older, and/or inexpensive devices which due to their nature won’t be getting an update.
    set sarcasm to 0

    What Google are doing is forcing people who have such devices to find and buy a replacement, irrespective of whether or not the users want to, or CAN.

    ( ͡° ͜ʖ ͡°)
    ( ͡° ͜ʖ ͡°)
    Reply to  JeniSkunk
    5 years ago

    To be fair, OEMs should update their devices at least once. Some devices never even see a single update.

    JeniSkunk
    JeniSkunk
    Reply to  ( ͡° ͜ʖ ͡°)
    5 years ago

    It’s not merely a case of ‘OEMs should update their devices at least once’
    This is a case where the major mob behind the OS is consigning millions of
    users devices to an insecurity nightmare, simply because these devices
    will be better than odds on never to see an OS update.

    AdamM
    AdamM
    Reply to  JeniSkunk
    5 years ago

    Jeni, did you read this bit: “even if Google were to accept a Webkit change and integrate it with the older WebView code, it wouldn’t achieve much; without an OS update that included these changes” So if Google updated Webview for Android 4.3 or older, it would still be a part of the core OS and up to the OEMs to provide that updated version of Android to you as the purchaser of their device. Given their reluctance to roll out any other Android upgrades, just how likely is that? Fortunately, the Android OS has evolved and this security component… Read more »

    chris
    chris
    Reply to  JeniSkunk
    5 years ago

    Once again SHUT THE FUCK UP JENI
    stop it with your crap negative comments, Google has CLEARLY stated why they are doing what they are. You ALWAYS find the negative aspect and then moan again.
    If you want the latest and greatest stop buying Aldi crap and buy a Nexus device. You get what you pay for so enough!!!!

    Matt
    Matt
    Reply to  chris
    5 years ago

    This!

    Dennis Bareis
    5 years ago

    Given the current situation it is up to OEMs to fix it, however Google should have thought about the need for updates (security and otherwise) a long long time before they did).

    Matt
    Matt
    Reply to  Dennis Bareis
    5 years ago

    Agreed, the way WebKit is updated was flawed in the begining and really should have been changed over to the way 5.0 is doing it way back in Honeycomb when Chrome really started taking off. Not sure why google even have a “default” browser, chrome comes pre-installed anyway.

    geoff
    geoff
    5 years ago

    Google gives the OEM a free (awesome) OS and free updates and says go for it. Sell your gadget and make money. Did I mention free? So, it’s squarely on the shoulders of the OEM to provide the after sales updates.