Tens of millions of Android smartphone owners could be at a higher risk of malicious attacks because of a decision by Google to stop issuing Android patches for a key software component in older versions of its mobile operating system (OS).

Little Notice

With little public notice, Google has stopped issuing security patches and other updates for WebView on Android 4.3 (Jelly Bean) and prior versions of the OS. The company currently only supports Lollipop, the latest version of Android, and KitKat, Lollipop’s predecessor.

This decision means roughly 60 percent of Android devices — about 930 million smartphones, by some estimates — are vulnerable to attacks that exploit flaws for which no patches are currently available — nor are they likely forthcoming from Google.

“This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy in many, many cases,” said Tod Beardsley, a researcher at security firm Rapid7. He was one of the first people to learn of Google’s new policy to stop Android patches for older versions of the OS.

Beardsley said he fully expects smartphones running affected versions of the Android OS to be increasingly targeted by attackers and penetration testers once word of Google’s decision spreads.

Easy Targets

A WebView basically lets a Web browser be opened from inside a mobile application. Developers typically add a WebView to their application if they want it to display as a Web page or run a Web application. Google replaced its original WebView for Android with an updated version of the component based on the Chromium open source project when it released Android 4.4, or KitKat. The new WebView has the same rendering engine as the one used by Chrome to render browser pages on Android devices.

Sometime between KitKat and the release of Lollipop, Google apparently decided to stop issuing Android patches for WebView on Jelly Bean and previous versions of Android.

Highly Vulnerable Without Android Patches

Beardsley said he discovered the change when reporting a new vulnerability in WebView to Google. The vulnerability is one of close to a dozen that security researchers have discovered in WebView in recent months. All the vulnerabilities exist in Android 4.3 and earlier, which are precisely the versions Google no longer supports.

Google incident handlers responding to Beardsley’s bug submission basically said the company does not develop patches for older versions of Android. However, Google is apparently open to receiving patches from those reporting vulnerabilities. The incident handlers added that other than alerting original equipment manufacturers of a bug, Google will not take any further steps to patch or mitigate problems on Jelly Bean and older versions of Android.

Google’s Reasons

Google’s reasoning is reportedly based on the fact that it no longer certifies third-party devices that include the Android browser, Beardsley wrote. Google leaves it up to original equipment manufacturers and carriers to ensure their devices are properly patched. Generally, when Google receives an Android vulnerability report, it provides quick security updates for Nexus devices, which it controls. It also ensures future releases of Android are free of the reported problem.

However, in all other situations, the company has maintained that the best way to ensure continued support is for users to upgrade to the latest versions of the Android OS.

“To put it another way, Google’s position is that Jelly Bean devices are too old to support — after all, they are two versions back from the current release, Lollipop,” Beardsley said.

Image Source: Flickr