A Google executive’s explanation for the company’s decision to stop patching a core software component of older versions of its Android mobile OS is likely to be of little comfort to the millions of smartphone users affected by it.

In a blog post, Android’s Lead Security Engineer Adrian Ludwig said Google decided not to patch WebView on Android 4.3 and earlier versions because of the sheer enormity of the task.

Patching Older Versions Is Unsustainable

Until relatively recently, Google has taken security fixes from the most recent versions of WebKit used by WebView and applied them to the version of WebKit used in Android 4.3 (Jelly Bean) and earlier, Ludwig said. However, with WebKit alone comprising more than 5 million lines of code — and with thousands of new lines being added each month — fixing older versions is no longer safe.

In some cases, large portions of code had to be changed when applying vulnerability patches to WebKit branches that were more than two years old, Ludwig said.

Ludwig was responding to concerns raised earlier this month when Tod Beardsley, a security researcher from Rapid7, first reported on Google’s decision to stop patching WebView on Jelly Bean and older versions of Android. Beardsley said his discussions with Google incident handlers over a security bug revealed Google currently supports WebView only on Android Lollipop and its predecessor, KitKat. The company has apparently left it to Android smartphone manufacturers and carriers to develop and issue WebView security patches in older versions of Android.

Millions Affected

WebView is a software component that lets a browser be opened from inside a mobile application. Software developers use it when they want to display a mobile application as a Web page or when they want it to run as a Web application. Google updated its WebView for Android with the release of KitKat last year. At some point after that, it decided it would no longer issue security patches for pre-KitKat WebView versions.

By Google’s own estimates, roughly 60 percent of Android smartphones in use run on Android 4.3 or older versions of the operating system. The company’s decision to support WebView only on the latest versions of its mobile operating system has huge implications for Android users, Beardsley and others have maintained. They noted WebView is one of the most popular attack vectors for Android and predicted attackers will try to find new ways to take advantage of the current situation.

Little Comfort

These concerns are unlikely to be assuaged by Ludwig’s explanation of Google’s policy. According to him, Google invests heavily in Android and Chrome security and has been working with equipment manufacturers to improve their patching processes. Currently, original equipment manufacturers can quickly deliver KitKat patches via binary updates provided by Google. For Lollipop, Google is delivering the updates directly via Google Play.

However, the company provides WebView patches only for the two most recent Android versions because it is impractical to do more, he said. Android users on pre-KitKat versions can mitigate their exposure to WebView vulnerabilities by using a browser updated through Google Play and only loading and using content from trusted sources.

“Using an updatable browser will protect you from currently known security issues,” and future ones, he said. “It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers.”

Ludwig did not offer any insight on how many Android users are likely affected by the company’s decision, but he noted the number of potentially affected users is shrinking on a daily basis as they upgrade to newer Android versions.

What remains unclear is whether Google will become more proactive about providing end-of-life dates for its software products in order to help users better prepare for the change.

Image Source: Flickr