Google's New Android Patch Policy Puts 939 Million Users at Risk: Report

Share on Facebook Tweet Share Share Reddit Comment
Google's New Android Patch Policy Puts 939 Million Users at Risk: Report
Google has reportedly stopped providing security updates for WebViewon Android version Jelly Bean and below. A security research publication, Rapid7 has claimed that the Mountain View giant had stopped providing patches for WebView within Android 4.3 or below starting late last year. The report even suggests that the company currently only supports WebView in Android 5.0 Lollipop and Android 4.4 KitKat running devices.

Forbes reports, "Without openly warning any of the 939 million affected, Google has decided to stop pushing out security updates for the WebView tool within Android to those on Android 4.3, better known as Jelly Bean, or below."

Rapid7 engineering manager Tod Beardsley told Forbes, "It's also the favoured vector for attack for nearly any remote code execution vulnerability in the mobile OS. WebView, for many, many attackers, is Android, just as Internet Explorer [Microsoft's browser] is usually the best vector for attackers who want to compromise Windows client desktops."

"WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser," Rapid7 explains.

According to the report, Rapid7's Joe Vennix and Rafay Baloch, an independent researcher, discovered the potential vulnerability in Android 4.3 Jelly Bean or below and contacted Android's security team who responded: "If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."

The move seems to be Google's new policy to handle vulnerabilities on the Android 4.3 or below where it will come up with patches only if a user not only reports the vulnerability within older Android version's WebView, but also provides a solution. Rapid7's Beardsley points out, "I've never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google's position. This change in security policy seemed so bizarre, in fact, that I couldn't believe that it was actually official Google policy."

Android's security team added, "If patches are provided with the report or put into AOSP we are happy to provide them to partners as well."

To add some context, Google's latest distribution data of different versions of Android has revealed that Android 5.0 Lollipop, the latest publicly available version of Google's mobile and tablet operating system, is powering less than 0.1 percent of Android devices while Android KitKat has a total share of 39.1 percent. The distribution data of different versions of Android also revealed that Android Jelly Bean still powers the greater part of Android devices, with a combined percentage of 46 percent.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: Android, Google, Mobiles, Tablets, WebView
Ketan Pratap

Ketan Pratap covers daily news and rumours at Gadgets 360. He attended IIMC (Indian Institute of Mass Communication), majoring in English Journalism. Ketan is a ... More

Free Apps for the DIY Enthusiast
GM Open to Working With Google on Self-Driving Car Technology