January 29, 2015 By Jaikumar Vijayan 3 min read

A Google executive’s explanation for the company’s decision to stop patching a core software component of older versions of its Android mobile OS is likely to be of little comfort to the millions of smartphone users affected by it.

In a blog post, Android’s Lead Security Engineer Adrian Ludwig said Google decided not to patch WebView on Android 4.3 and earlier versions because of the sheer enormity of the task.

Patching Older Versions Is Unsustainable

Until relatively recently, Google has taken security fixes from the most recent versions of WebKit used by WebView and applied them to the version of WebKit used in Android 4.3 (Jelly Bean) and earlier, Ludwig said. However, with WebKit alone comprising more than 5 million lines of code — and with thousands of new lines being added each month — fixing older versions is no longer safe.

In some cases, large portions of code had to be changed when applying vulnerability patches to WebKit branches that were more than two years old, Ludwig said.

Ludwig was responding to concerns raised earlier this month when Tod Beardsley, a security researcher from Rapid7, first reported on Google’s decision to stop patching WebView on Jelly Bean and older versions of Android. Beardsley said his discussions with Google incident handlers over a security bug revealed Google currently supports WebView only on Android Lollipop and its predecessor, KitKat. The company has apparently left it to Android smartphone manufacturers and carriers to develop and issue WebView security patches in older versions of Android.

Millions Affected

WebView is a software component that lets a browser be opened from inside a mobile application. Software developers use it when they want to display a mobile application as a Web page or when they want it to run as a Web application. Google updated its WebView for Android with the release of KitKat last year. At some point after that, it decided it would no longer issue security patches for pre-KitKat WebView versions.

By Google’s own estimates, roughly 60 percent of Android smartphones in use run on Android 4.3 or older versions of the operating system. The company’s decision to support WebView only on the latest versions of its mobile operating system has huge implications for Android users, Beardsley and others have maintained. They noted WebView is one of the most popular attack vectors for Android and predicted attackers will try to find new ways to take advantage of the current situation.

Little Comfort

These concerns are unlikely to be assuaged by Ludwig’s explanation of Google’s policy. According to him, Google invests heavily in Android and Chrome security and has been working with equipment manufacturers to improve their patching processes. Currently, original equipment manufacturers can quickly deliver KitKat patches via binary updates provided by Google. For Lollipop, Google is delivering the updates directly via Google Play.

However, the company provides WebView patches only for the two most recent Android versions because it is impractical to do more, he said. Android users on pre-KitKat versions can mitigate their exposure to WebView vulnerabilities by using a browser updated through Google Play and only loading and using content from trusted sources.

“Using an updatable browser will protect you from currently known security issues,” and future ones, he said. “It will also allow you to take advantage of new features and capabilities that are being introduced to these browsers.”

Ludwig did not offer any insight on how many Android users are likely affected by the company’s decision, but he noted the number of potentially affected users is shrinking on a daily basis as they upgrade to newer Android versions.

What remains unclear is whether Google will become more proactive about providing end-of-life dates for its software products in order to help users better prepare for the change.

Image Source: Flickr

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today