14 DAY TRIAL // Any security bugs reported for the WebView core component of Android versions prior to KitKat (4.4) are no longer a priority for the Android security team, researchers have learned.
At the moment, 60.9%, or almost one billion, of the Android user base still relies on JellyBean (4.3) and lower versions of the operating system.
Official support for core component is dropped
WebView is an important component on the mobile OS developed by Google, as it is required to render web pages on the device. Starting KitKat, the component was replaced with a newer version that is based on Chromium.
Communicating with the developer handling security incidents for Android, security researchers at Rapid7 have found that Google no longer creates patches for flaws related to WebView lower than 4.4.
“Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch,” was a recent reply from the Android security team upon receiving a report about a new vulnerability in a WebView version earlier than KitKat.
Apart from the fact that more than 930 million users have on their phone a version of the component that no longer receives official support from Google, Tod Beardsley of Rapid7 says that WebView vulnerabilities are frequently found, 11 exploits being already integrated in the Metasploit penetration testing utility.
Bugs will persist longer, unlikely to become scarce
Beardsley says that the reasoning behind this decision is that Google no longer certifies third-party devices that feature the Android web browser.
The implications of this resume to the fact that, in lack of a patch provided by good Samaritans or other third-party entities, and vetted by Google, more than half of Android users are exposed to exploits leveraging WebView vulnerabilities for a longer time and this state of insecurity is very likely to become permanent in some cases.
The best way to stay protected is obviously to upgrade to a new handset, only not everyone is willing to spend as much as the newer, safer models cost.
This is actually a new incentive for cybercriminals to explore the security flaws Google is not willing to repair for its legacy Android versions; and the market could not be any riper.
Companies also have to take heed of this under-reported policy from Google as businesses appear with increased frequency on the cybercriminal’s radar lately.
“Technology keeps moving forward on mobile devices, client computers, servers, and network infrastructure. As a result, the overall security of an organisation relies on the ongoing automated analysis of the current situation and processes and procedures to address the gaps that are uncovered daily,” said Steve Hultquist, chief evangelist at RedSeal via email.
“As we can see with the distribution of Android releases, being aware of the distribution of systems, their existing security issues, and how they are accessible from threats are all critical aspects of the overall security operation of an enterprise,” he added.