Google won't patch WebView for older Android versions

Google has come under fire this week for a reported decision to stop patching the WebView component of Android for versions older than Android 4.4.

Rapid7 Engineering Manager Tod Beardsley has stated that researchers have been informed that Google will no longer be performing patches for WebView versions 4.3 or older, and so will not be taking action on bug reports other than to inform OEMs.

The statement was made after a new exploit affecting WebView 4.3 or older was discovered and reported to the Android team.

The change means that Android 4.4 (KitKat) and Android 5.0 (Lollipop) are the only named versions of the OS for which the native version of WebView is still supported.

Google did state that other components of pre-KitKat Android, including the media players, will still receive back-ported patches, but it will be up to OEMs to patch WebKit bugs on their own.

Beardsley said Google’s response notes that it will be willing to send patches to OEMs if they are supplied with bug reports.

“I’ve never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google’s position. This change in security policy seemed so bizarre, in fact, that I couldn’t believe that it was actually official Google policy,” he wrote.

Due to the nature of Android, some OEMs are still selling devices with versions of Android 4.3 or prior. Beardsley also noted that an estimated 60% of Android devices in operation - around 930 million phones - are pre-KitKat devices. The preponderance of low-cost Android smartphones also means there’s a large install base of users who can’t afford to buy a new device on a whim.

“Taken together - the two-thirds majority install base of now-unsupported devices and the practical inability of that base to upgrade by replacing hardware - means that any new bug discovered in ‘legacy’ Android is going to last as a mass-market exploit vector for a long, long time,” he said.

OEMs developing customised Android distributions also have an incentive to stick to older versions, as it is easier to patch and build on the custom version than port it to one of the newer ones.

Beardsley also criticised Google for not having a policy of publishing details of Android vulnerabilities, leaving developers and consumers relying on third-party notifications to detail vulnerabilities and their impact.

“For example, Google’s only public acknowledgement of CVE-2014-8609, a recent system-level information disclosure vulnerability, was a patch commit message on the Lollipop source code repository,” he said.

He urged Google to reconsider its policies and continue to develop patches for core components of older versions of Android.

Ars Technica notes that the situation is complicated by the fact that unlike rivals such as Apple and Microsoft, Google has no power to update Android installs directly. It instead relies on OEMs to adopt source code changes, which means that fixes often do not get implemented even when Google develops them.

But starting with Android 5, the WebView control component is included as an app via the Google Play Store. This will allow Google to update WebView directly and push out those updates via the store infrastructure. To date, however, only around 0.1% of Android users are using this version of the OS.

The news comes after Google drew the ire of Microsoft twice in less than a month by disclosing vulnerabilities in Windows after the accepted 90-day deadline for implementing a fix, but before a fix had been developed.

Image courtesy of Rob Bulmahn under CC