Lollipop stops Chromium bugs from endangering Android

Google's WebView for Android will get updates from Google Play, enabling faster security and feature updates.
Written by Liam Tung, Contributing Writer

Android 5.0 Lollipop, set to be released in November, fixes a design issue in Android KitKat that left the OS exposed to newly-disclosed bugs in the Chromium project.

Google has quietly introduced a fairly important change for Android devices going forward from Android 5.0, stemming from a new way of updating WebView, a system component of Android which developers can use to display web content in their apps.

As Google flagged last week, WebView in Lollipop will be updated through Google Play. In all versions of Android, WebView has been bundled with Android firmware. From a security standpoint, that wasn't good, because if a new flaw was found in WebView, the only way a fix would reach end-users was through the unwieldy process of delivering it from Google to OEMs and carriers and finally, if ever, to the end user.

A case in point was discovered earlier this year where a WebView exploit affecting Android versions 4.2 and below which then left 70 percent of Android devices vulnerable to an attack that only required a user to capture a malicious QR code to give 'shell command' to the attacker. An app compromised this way would give the attacker all they needed to steal contacts, pictures, and manipulate data on the device.

Then in July this year came the FakeID bug, an Adobe System WebView plugin privilege escalation, which affected all versions of Android below KitKat (version 4.0). The security firm that found that flaw, Bluebox, has a detailed writeup here, but basically malware could use Adobe's web view plugin to impersonate Adobe and gain its privileges on a device. 

More recently, a WebView bug in the built-in browser with Android 4.3 and below left users exposed to spying or session hijacking, spelling a potential privacy disaster if it was exploited.

The reason none of the flaws affected KitKat was due Google moving WebView from WebKit to its fork of Webkit based on the Chromium project, giving it access to more modern browser features. But as Android Police pointed out recently, KitKat still retained the same model whereby security patches for WebView were still tied to the OS.

Security experts that have spent time digging around WebView have given the change in Android 5.0 a big thumbs up.

"It's an awesome security feature. It would have allowed 4.3 and below phones to be patched from all the universal cross-site scripting and remote code execution vulnerabilities we found without requiring a full vendor update, which is what prevents most users from updating," Joe Vennix, a researcher at security firm Rapid7, told ZDNet.

"In Android 4.4, WebView's internal implementation is replaced by Chromium's fork of WebKit. This fixed some vulnerabilities that were only present because Android's WebKit library was so far off Webkit master and was not receiving proper security fixes from upstream. Hopefully using Chromium instead of WebKit will mean more frequent updates from upstream."

"In Android L, the Chromium implementation is allowed to auto-update without needing a full vendor or OS update. That way, browser security is placed back in the hands of Google, rather than requiring an intermediary re-build from the vendors."

Moving updates to Google Play also addresses an odd problem that arises when the Chromium team releases bug fixes since the same bugs resided in WebView, which couldn't be updated as easily. 

"The Chrome team discloses bugs on a regular basis and leaves Android's built-in webkit exposed to bugs," Accuvant security researcher Joshua Drake pointed out.

Essentially, fixing one project endangered another by providing hackers with the tools to create an exploit. "Chromium publicly discloses their own bugs all the time and if the user cannot update, their disclosures are essentially providing exploits that cannot be patched," said Vennix.

Courtesy of Drake, who is also a contributor to the Android security project droidsec.org, here's a summary of history of WebView in Android, which helps explain the improvements in Android L to both developers and the security of end-users.   

1. Android 1.x - 3.x: 

Browser and WebView both based on WebKit (same component, requires firmware update)

2. Android 4.x - Android 4.3: 

Default Browser Chrome (updated through Play), WebView based on WebKit (requires firmware update)

3. Android 4.4 - 4.4.4: 

Default Browser Chrome (updated through Play), WebView based on Chromium (blink, requires firmware update)

4. Android 5.0: 

Default Browser Chrome (updated through Play), WebView based on Chromium (blink, updated through Play)

For readers interested, here's Drake's extended version:

"From the beginning, Android has included a browser and provided
support for embedding a browser into Android apps (the WebView). In
the beginning, the AOSP browser was based on the same code base as the
WebView support, which was WebKit. WebKit is a very popular browser
engine and, for quite a while, was used by Chrome (on all operating
systems) too.

I'm not sure of the exact date, but at some point the Chrome team
decided to fork WebKit and create the "blink" project. Since it was a
fork, it inherited most of the same issues as the upstream WebKit
project. Security problems in WebKit affect all projects based on
WebKit (which include quite a large number).

So... With Android and Chrome both being based on WebKit, Chrome's bug
bounty program paid for and disclosed numerous issues that affected
Android's browser and WebView.

In those early days, Google did not make much effort to update the
Android browser, presumably since it was entirely based on the WebKit
version provided with the firmware. A firmware update was required to
update those components.

When Android 4.0 was released, Google decided to switch Android's
default browser to Chrome. This was an important change too, as it
meant that the Chrome team could update the Android default browser
along side its other releases whenever it disclosed security issues
from the bounty program.

However! They did not switch Android's WebView to be based on Chrome
at that time. Thus, WebView-based apps remained vulnerable to any such

Along came Android 4.4. Now, at this point they did switch Android's
WebView code base to Chromium. That was a huge update, and likely
required a huge effort. However, the way things were shipped did not
change. Android still required new firmware to update the WebView
browser engine and Chrome was still updated from the Play store.

This brings us to today. When Android L is released, the news is that
it will use a browser engine that is regularly updated for WebViews.
This is huge. Not only for security, but also developers of web
content that care about how such content is rendered on Android."

On a final note, there are quite a few third-party browsers out there.
Many of them rely on the WebView. However, some take the same route as
Chrome and embed their own browser engine. This isn't a huge deal to
me, since I don't care much for third party browsers, but it does
matter in the grand scheme of things."


Read more on Lollipop

Editorial standards