A large portion of Android devices could be open to attack, according to security a new report from security research team Rapid7, and it’s all thanks to Google.
According to a report in Forbes, security firm Rapid7 has advised that Google is no longer updating their WebView tool, used to display Web content on pre-Android 4.4 devices and this could be a big problem. As Google’s own statistics show, over 60% of Google Android devices in use – this is not counting those devices not using Google Play Services – could be affected by any exploit that is developed by malicious users.
Malicious users can, and do target WebView, but it’s not terribly straight forward. Hackers would have to first have an Android user access an affected webpage in an exploited app, or trick them into following a link to a page which is then rendered in WebView.
Google hasn’t officially commented on the decision to no longer update WebView, with Joe Vennix, from Rapid7, and independent researcher Rafay Baloch only discovering the decision after a comment from a Google employee from Google’s Android security team responding to their report of a bug in the AOSP browser responded with:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch
So Google will actually push out updates, if they’re submitted to the AOSP bug tracker. What they won’t do is develop patches themselves.
With Lollipop devices not even making the 0.1% mark required to appear on the Google Distribution statistics, and KitKat devices only accounting for just over a third, this is potentially a problem. To avoid any potential issues, the best way to avoid potential issues is to remain within the Google eco-system to acquire your apps. Google does scan apps for potential threats, leaving the Google Play Store still one of the best and safest sources for this.
It’s still a problem and with a number of outlets picking up this story, it remains to be seen if Google will change their policy.
WebView pre Lollipop is baked directly into the system image. Which means even if Google updates WebView, they need to release a new version of Android with this update for anyone to actually use it. Google don’t release spot updates for previous version of Android (which is a mistake, IMO, but that’s another issue), so even if they did release an update to pre Lollipop WebView, no one would see it. So in reality, this announcement changes nothing. As of Lollipop, WebView is part of Google Play Services. This means that for Lollipop and future, all devices will always have… Read more »