Google Inc (NASDAQ:GOOGL), overseer of the world’s largest mobile operating system, has just abandoned more than 930 million Android users and left them and security researchers to fend for themselves in case hackers exploit a particular core component of Android.
Affected in this issue are users of Android 4.3 Jelly Bean or older, according to Tod Beardsley of Rapid7, an IT security company. In other words, most Android users are affected after Google Inc (NASDAQ:GOOGL) silently killed future security patch support for WebView, the core Android component in question.
WebView enables applications to display websites inside apps without initiating another application (normally an internet browser application). WebView is also a favorite attack route for hackers as it provides the possibility of remote code execution in Android.
In Android 4.4 KitKat, Beardsley said that WebView was replaced by a Chromium-based version. This version essentially separated the component from the Android operating system and made it updateable via Google Play. The problem is, with Android 4.3 and older, it’s still bundled with the operating system and cannot be updated via the Play Store.
Beardsley said that when his colleague Joe Vennix and independent security expert Rafay Baloch reported an exploit with pre-Android 4.4 WebView, Google responded essentially saying they are not developing WebView patches for Android 4.3 or older anymore.
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch,” Beardsley quotes the incident handlers at firstname.lastname@example.org replying in an email.
Beardsley added that the incident handlers at the technology giant also said, “If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.”
What this means is that if a WebView exploit is found on a device running on Android 4.3 or an older version, Google will only send out a patch if it is reported and if the security researcher or a phone manufacturer comes up with the very solution for the problem.
The decision to end security patches for Android 4.3 or older makes sense, Beardsley said, since Jelly Bean is, after all, two versions away from the most recent Android Version which is 5.0 Lollipop.
However, he also pointed out Google’s own data which shows that Android 4.4 KitKat accounts for just 39.1% of all Android users out there. Lollipop is not yet even included in Google’s tables and the security researcher said that it’s just 0.1% of the whole Android populace. That means affected by this silent change in Google’s policy which may be harmful are over 60% of Android users, or over 930 million users.
The danger is only heightened by the fact not every smartphone will have the opportunity to be updated to the latest version of Android. Manufacturers with the help of carriers can update every handset they release to the latest Android version, but we know that does not happen at all as they only often update their latest phones.
Users can also do it themselves but that is a fairly complicated process for the average user. Even more complicated for the average user will be to comb through open source Android repositories, or do their very own digging to discover vulnerabilities, and come up with patches themselves. That’s virtually impossible for the average user who also will not commit that much time to WebView.
So thanks, Google Inc (NASDAQ:GOOGL). Thanks a lot.
Shareholders of Google Inc (NASDAQ:GOOGL) includes Boykin Curry’s Eagle Capital Management which reported owning 790,560 Class A shares by the end of September. Valued then at about $465.17 million, it accounted for 1.79% of the firm’s whole portfolio. It also owned 844,221 Class C shares in the web giant by the end of 3Q2014.