January 16, 2015 By Jaikumar Vijayan 2 min read

Tens of millions of Android smartphone owners could be at a higher risk of malicious attacks because of a decision by Google to stop issuing Android patches for a key software component in older versions of its mobile operating system (OS).

Little Notice

With little public notice, Google has stopped issuing security patches and other updates for WebView on Android 4.3 (Jelly Bean) and prior versions of the OS. The company currently only supports Lollipop, the latest version of Android, and KitKat, Lollipop’s predecessor.

This decision means roughly 60 percent of Android devices — about 930 million smartphones, by some estimates — are vulnerable to attacks that exploit flaws for which no patches are currently available — nor are they likely forthcoming from Google.

“This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy in many, many cases,” said Tod Beardsley, a researcher at security firm Rapid7. He was one of the first people to learn of Google’s new policy to stop Android patches for older versions of the OS.

Beardsley said he fully expects smartphones running affected versions of the Android OS to be increasingly targeted by attackers and penetration testers once word of Google’s decision spreads.

Easy Targets

A WebView basically lets a Web browser be opened from inside a mobile application. Developers typically add a WebView to their application if they want it to display as a Web page or run a Web application. Google replaced its original WebView for Android with an updated version of the component based on the Chromium open source project when it released Android 4.4, or KitKat. The new WebView has the same rendering engine as the one used by Chrome to render browser pages on Android devices.

Sometime between KitKat and the release of Lollipop, Google apparently decided to stop issuing Android patches for WebView on Jelly Bean and previous versions of Android.

Highly Vulnerable Without Android Patches

Beardsley said he discovered the change when reporting a new vulnerability in WebView to Google. The vulnerability is one of close to a dozen that security researchers have discovered in WebView in recent months. All the vulnerabilities exist in Android 4.3 and earlier, which are precisely the versions Google no longer supports.

Google incident handlers responding to Beardsley’s bug submission basically said the company does not develop patches for older versions of Android. However, Google is apparently open to receiving patches from those reporting vulnerabilities. The incident handlers added that other than alerting original equipment manufacturers of a bug, Google will not take any further steps to patch or mitigate problems on Jelly Bean and older versions of Android.

Google’s Reasons

Google’s reasoning is reportedly based on the fact that it no longer certifies third-party devices that include the Android browser, Beardsley wrote. Google leaves it up to original equipment manufacturers and carriers to ensure their devices are properly patched. Generally, when Google receives an Android vulnerability report, it provides quick security updates for Nexus devices, which it controls. It also ensures future releases of Android are free of the reported problem.

However, in all other situations, the company has maintained that the best way to ensure continued support is for users to upgrade to the latest versions of the Android OS.

“To put it another way, Google’s position is that Jelly Bean devices are too old to support — after all, they are two versions back from the current release, Lollipop,” Beardsley said.

Image Source: Flickr

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today