Tens of millions of Android smartphone owners could be at a higher risk of malicious attacks because of a decision by Google to stop issuing Android patches for a key software component in older versions of its mobile operating system (OS).

Little Notice

With little public notice, Google has stopped issuing security patches and other updates for WebView on Android 4.3 (Jelly Bean) and prior versions of the OS. The company currently only supports Lollipop, the latest version of Android, and KitKat, Lollipop’s predecessor.

This decision means roughly 60 percent of Android devices — about 930 million smartphones, by some estimates — are vulnerable to attacks that exploit flaws for which no patches are currently available — nor are they likely forthcoming from Google.

“This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy in many, many cases,” said Tod Beardsley, a researcher at security firm Rapid7. He was one of the first people to learn of Google’s new policy to stop Android patches for older versions of the OS.

Beardsley said he fully expects smartphones running affected versions of the Android OS to be increasingly targeted by attackers and penetration testers once word of Google’s decision spreads.

Easy Targets

A WebView basically lets a Web browser be opened from inside a mobile application. Developers typically add a WebView to their application if they want it to display as a Web page or run a Web application. Google replaced its original WebView for Android with an updated version of the component based on the Chromium open source project when it released Android 4.4, or KitKat. The new WebView has the same rendering engine as the one used by Chrome to render browser pages on Android devices.

Sometime between KitKat and the release of Lollipop, Google apparently decided to stop issuing Android patches for WebView on Jelly Bean and previous versions of Android.

Highly Vulnerable Without Android Patches

Beardsley said he discovered the change when reporting a new vulnerability in WebView to Google. The vulnerability is one of close to a dozen that security researchers have discovered in WebView in recent months. All the vulnerabilities exist in Android 4.3 and earlier, which are precisely the versions Google no longer supports.

Google incident handlers responding to Beardsley’s bug submission basically said the company does not develop patches for older versions of Android. However, Google is apparently open to receiving patches from those reporting vulnerabilities. The incident handlers added that other than alerting original equipment manufacturers of a bug, Google will not take any further steps to patch or mitigate problems on Jelly Bean and older versions of Android.

Google’s Reasons

Google’s reasoning is reportedly based on the fact that it no longer certifies third-party devices that include the Android browser, Beardsley wrote. Google leaves it up to original equipment manufacturers and carriers to ensure their devices are properly patched. Generally, when Google receives an Android vulnerability report, it provides quick security updates for Nexus devices, which it controls. It also ensures future releases of Android are free of the reported problem.

However, in all other situations, the company has maintained that the best way to ensure continued support is for users to upgrade to the latest versions of the Android OS.

“To put it another way, Google’s position is that Jelly Bean devices are too old to support — after all, they are two versions back from the current release, Lollipop,” Beardsley said.

Image Source: Flickr

More from

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read