Android smartphone owners who aren’t running the latest version of their operating system might get some nasty surprises from malicious hackers in 2015. That’s because one of the core components of their phones won’t be getting any security updates from Google, the owner of the Android operating system. Without openly warning any of the 939 million affected, Google has decided to stop pushing out security updates for the WebView tool within Android to those on Android 4.3, better known as Jelly Bean, or below, according to appalled security researchers. That means two-thirds of users won’t receive cover from Google, the researchers noted.
The WebView piece of the messy Android jigsaw allows applications to display web pages within applications. Many apps and ad networks use the component, which the Google Android team even advocates in its developer documentation on rendering web pages. It’s also the favored vector for attack for nearly any remote code execution vulnerability in the mobile OS, according to Rapid7 engineering manager Tod Beardsley. “WebView, for many, many attackers, is Android, just as Internet Explorer [Microsoft’s browser] is usually the best vector for attackers who want to compromise Windows client desktops,” he told Forbes.
Software weaknesses have repeatedly been uncovered in Android and WebView, making the lack of updates even more dangerous. Rapid7 has added numerous exploits to its penetration testing kit Metasploit. The most recent version comes with 11 different WebView exploits bundled in, meaning both ethical and criminal hackers could easily exploit the tool and subsequently Android operating systems.
One of the key reasons attackers love to hit WebView is its ability to interact with other parts of Android. “The web technologies supported, and the frameworks like PhoneGap that provide interfaces to native phone functionality, are a big part of why WebView is such a great way to compromise someone’s phone. ,” added Justin Clarke, a security consultant from Gotham Digital Science.
Joe Vennix, from Rapid7, and Rafay Baloch, an independent researcher, discovered Google was ending support late last year when Google’s Android security crew responded to one of their warnings about a bug in the AOSP browser, which uses WebView, with the following: “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
That meant Google might send out patches for WebView in older versions of Android if someone else not only finds a problem but comes up with a solution as well. According to Beardsley, this might be an unprecedented move to ask for third-party researchers to deliver patches as well as a bug.
Google has declined to comment on the matter. It likely made the policy decision when it chose to “unbundle” WebView from its core operating system as Android 5.0, or Lollipop, which was pushed out in October 2014. This meant users would be able to update WebView separately from Android, with automated downloads from Google’s Play Store. But this option remains unavailable to anyone on an older version of the operating system; keep in mind that very few people actually use Lollipop, less than 0.1 percent of all Android device owners.
“While the sub- 0.1 per cent of Lollipop users will enjoy that leap forward with a Play store updatable WebView, the other 99.9 per cent of us are stuck with OS updates for the equivalent of a browser patch – if there is a patch available at all,” Beardsley added.
Android is open source, meaning technically anyone could create patches, but the chances of those fixes getting distributed by device manufacturers like Samsung or LG is “slim to none”, Beardsley added.
Whilst Google could simply advise users to upgrade to 4.4 or above, it can’t deny that the majority of its customers are at higher risk of attack by this lack of WebView support. Its own figures show that of all Android devices – believed to total 1.5624 billion phones – 60.1 per cent don’t run 4.4 KitKat or above. That would indicate 939,002,400 phones aren’t as protected as well as they might be.
There are some limitations facing hackers who want to break into Android devices via WebView. Though the component is one of the more tempting targets for Android hackers, attackers would either have to get exploit code onto a web page displayed by a targeted app, or trick a user to follow links then rendered by WebView. “The latter is probably more likely,” said security consultant Andreas Lindh. He believes the end of support for most Android users “could definitely raise the number of drive-by download attacks for Android, but the majority of malware infections will still come from willingly installed malicious apps”.
Whilst users should, whenever feasible and affordable, upgrade to the latest version of any operating system as it should be more secure than predecessors from known attacks, the researchers were still astonished Google won’t offer some kind of additional protection for users. At the very least it should have informed users what was happening, they argued, calling for a reversal in the policy decision.
What might help users, and Google, would be an “end of life” schedule that gave a clear deadline when updates ceased. A granular process would even show when core components wouldn’t be supported. And then Android customers the world over would be somewhat safer when using their smartphones.
This article was written by Thomas Fox-Brewster from Forbes and was legally licensed through the NewsCred publisher network.