Android 4.4.2 KitKat

Google stops patching core Android component in 60% of devices

Life
Android 4.4.2 KitKat

13 January 2015

Google has stopped patching a core component of Android in versions older than v. 4.4, aka KitKat, a security researcher said today, as he urged the company to reconsider the policy that could leave more than 60% of Android users vulnerable to future attacks.

On Monday, Tod Beardsley, the engineering manager at security vendor Rapid7, claimed that Google’s security team said they would not craft fixes for flaws in WebView for Android 4.3 and older. Android 4.3, the predecessor to KitKat, is better known as Jelly Bean.

WebView is a core operating system component that powers the stock Android browser included with Jelly Bean – Google replaced that browser with Chrome in KitKat – and is called by apps that display a Web page in KitKat and earlier. (A much-changed WebView was spun out of the operating system as of Android 5.0, aka Lollipop.)

“[WebView] is the way any app renders a Web page or Web-based content, like in-app ads,” said Beardsley in an interview. “And WebView is the attack vector for Android. It’s the way that Android devices talk to the Internet, and if I’m an attacker I’ll exploit WebView by making a website and hope that people will click on it.”

Slow fix
According to Beardsley, the Android security response team first responded to bug reports with a “we-don’t-patch-WebView-anymore” reply in mid-October, after he submitted a vulnerability similar to one that Google processed and quickly patched just two weeks earlier.

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,” the response team told Beardsley via email. “Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Google did not reply to a request for confirmation of that policy, or for comment about Beardsley’s long blog post today. Beardsley called the practice “eyebrow-raising” and “shocking”.

Read More:


Back to Top ↑

TechCentral.ie