​Google stops providing patches for pre-KitKat WebView, abandons 930 million users

The next time hackers find a bug in Android WebView, Google will leave it up to the goodwill of researchers to respond.
Written by Liam Tung, Contributing Writer

If you're one of millions of people still running Android 4.3 Jelly Bean or earlier, you won't get any security fixes for WebView unless someone outside of Google develops them.

That's potentially bad news for for more than half of the world's Android users, who run versions of the OS released before Android 4.4 KitKat. According to Google's latest Android distribution figures, 46 percent of Android devices run Jelly Bean, followed by KitKat at 39.1 percent. The remaining Android users are on Gingerbread (versions 2.3.3-2.3.7, used by 7.8 percent of handsets), Ice Cream Sandwich (versions 4.0.3 to 4.0.4, used by 6.7 percent), and old Froyo (version 2.2, 0.4 percent).

According to Tod Beardsley, a security researcher at Rapid7 who oversees the Metasploit project, Google recently made a "bizarre" decision to stop developing patches for pre-KitKat WebView bugs in Android. Historically, security researchers have found plenty of flaws in the component, which is concerning given the component's reach: it's thought to be used by around 930 million Android devices.

After receiving a report of a new vulnerability in pre-4.4 WebView in October last year, Google's Android incident handlers said the company will leave the task of developing security patches to outsiders, according to Beardsley.

In Beardsley's blog post, Google said: "If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."

In other words, the next time a researcher or hacker finds a way to exploit WebView on pre-KitKat Android, Google won't create a patch for the vulnerability itself. However, if anyone else builds one, Google will incorporate those patches into the Android Open Source Project code. Google will also provide them to handset makers, but that's where its responsibility stops.

"I've never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google's position," Beardsley said.

As Beardsley points out, researchers Rafay Balock and Joe Vennix have been "knocking out Android WebView exploits somewhat routinely".

One of them, a universal cross-site scripting bug, was patched last year. Another was a same-origin policy bug that could allow an attacker to hijack a web session. The bugs are part of 11 WebView exploits that ship with Metasploit, a tool used by penetration testers and 'black hat' hackers to attack systems.

ZDNet has asked Google when it adopted this policy and its reasons for doing so, and will update the story if any comment is received.

Beardsley told ZDNet that he learned of the policy change last October and suspects it coincided with the release of Android 5.0 Lollipop.

"It's important to consider that there is no published end-of-life or end-of-support policy from Google with regard to any version of Android. Google may decide to drop support for KitKat tomorrow, though doing so would be suicidal. Of course, I would expect that dropping support for 60% of your install base would also be suicidal, yet here we are," he said.

Apple also lacks an end-of-life document, while Microsoft and BlackBerry have clear statements on how they handle the sun-setting of products.

Beardsley said Google dropped support for Jelly Bean and earlier versions because it will "no longer certify third party devices that include the Android Browser" and "the best way to ensure that Android devices are secure is to update them to the latest version of Android".

Of course, on the latter point, there are dozens of devices that can't be updated to KitKat or the latest Android 5.0 Lollipop.

The WebView security on Android Lollipop is handled in an entirely different way to earlier versions, and is patched via Google Play rather than being dependent on a firmware update.

Meanwhile, Google's Android security team will continue to create back-ported patches for other pre-Kitkat components such as multimedia players.

Read more on Android security

Editorial standards