Google stops patching core Android component in 60% of devices
On Monday, Tod Beardsley, the engineering manager at security vendor Rapid7, claimed that Google's security team said they would not craft fixes for flaws in WebView for Android 4.3 and older. Android 4.3, the predecessor to KitKat, is better known as "Jelly Bean."
WebView is a core operating system component that powers the stock Android browser included with Jelly Bean -- Google replaced that browser with Chrome in KitKat -- and is called by apps that display a Web page in KitKat and earlier. (A much-changed WebView was spun out of the operating system as of Android 5.0, aka "Lollipop.")
"[WebView] is the way any app renders a Web page or Web-based content, like in-app ads," said Beardsley in an interview. "And WebView is the attack vector for Android. It's the way that Android devices talk to the Internet, and if I'm an attacker I'll exploit WebView by making a website and hope that people will click on it."
According to Beardsley, the Android security response team first responded to bug reports with a "we-don't-patch-WebView-anymore" reply in mid-October, after he submitted a vulnerability similar to one that Google processed and quickly patched just two weeks earlier.
"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration," the response team told Beardsley via email. "Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."
Google did not reply to a request for confirmation of that policy, or for comment about Beardsley's long blog post today. Beardsley called the practice "eyebrow-raising" and "shocking."
"Android has a huge installed base," he said, and pointed out that the versions for which WebView will not be patched by Google make up more than 60% of the installed base.
"I know it's a huge hassle to support things forever," said Beardsley. "Developers make that call every day. But most support Jelly Bean because they don't want to cut themselves out of a [large part] of the Android market."
He also criticized Google for not making clear what components in, say, Jelly Bean it did or didn't support. "They should tell people what is and what isn't supported," Beardsley added. "Today, there's nothing in the developer docs that mentions end of life."
The same criticism has also been aimed at Apple, which does not explicitly spell out how long it supports each version of OS X or iOS.
Although iOS has no written end-of-life policy and Apple rarely patches older versions of iOS -- it instead tells customers to upgrade -- the company does generally support several generations of devices with its latest edition of iOS. The difference between Apple and Google, however, is stark when it comes to upgrades and updates, as the former provides them directly to customers, while Google does not. Google's approach results in a larger percentage of devices running older OSes than does Apple's.
Almost as important to Beardsley was that Google has not applied the same policy to all parts of Jelly Bean. "This isn't the end of life for all of Android [version 4.3, or Jelly Bean]," Beardsley said. When he posed a hypothetical to the Android security response team about whether it would patch a vulnerability in Jelly Bean's audio player, for example, Beardsley was told that Google would fix the flaw. "This uneven treatment of different components will be confusing," he predicted.
Adding to the uncertainty was the possibility that some devices makers or carriers may patch a specific WebView bug in their interpretation of Android, while others would not. Google said that although it would not fix such vulnerabilities itself, it would accept patches from others, including device manufacturers, carriers and even security researchers.
Beardsley said that it wasn't unknown for researchers to provide patches for flaws they discovered and reported.
In the blog post, Beardsley asked Google to reconsider its apparent no-patch policy for WebView in Jelly Bean and older. "Google's engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning," he wrote. "I'm hoping Google reconsiders."
Currently, Rapid7's Metasploit penetration testing framework includes several exploit modules that rely on unpatched WebView vulnerabilities in Jelly Bean, Beardsley confirmed.