January 16, 2015 By Jaikumar Vijayan 2 min read

Tens of millions of Android smartphone owners could be at a higher risk of malicious attacks because of a decision by Google to stop issuing Android patches for a key software component in older versions of its mobile operating system (OS).

Little Notice

With little public notice, Google has stopped issuing security patches and other updates for WebView on Android 4.3 (Jelly Bean) and prior versions of the OS. The company currently only supports Lollipop, the latest version of Android, and KitKat, Lollipop’s predecessor.

This decision means roughly 60 percent of Android devices — about 930 million smartphones, by some estimates — are vulnerable to attacks that exploit flaws for which no patches are currently available — nor are they likely forthcoming from Google.

“This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy in many, many cases,” said Tod Beardsley, a researcher at security firm Rapid7. He was one of the first people to learn of Google’s new policy to stop Android patches for older versions of the OS.

Beardsley said he fully expects smartphones running affected versions of the Android OS to be increasingly targeted by attackers and penetration testers once word of Google’s decision spreads.

Easy Targets

A WebView basically lets a Web browser be opened from inside a mobile application. Developers typically add a WebView to their application if they want it to display as a Web page or run a Web application. Google replaced its original WebView for Android with an updated version of the component based on the Chromium open source project when it released Android 4.4, or KitKat. The new WebView has the same rendering engine as the one used by Chrome to render browser pages on Android devices.

Sometime between KitKat and the release of Lollipop, Google apparently decided to stop issuing Android patches for WebView on Jelly Bean and previous versions of Android.

Highly Vulnerable Without Android Patches

Beardsley said he discovered the change when reporting a new vulnerability in WebView to Google. The vulnerability is one of close to a dozen that security researchers have discovered in WebView in recent months. All the vulnerabilities exist in Android 4.3 and earlier, which are precisely the versions Google no longer supports.

Google incident handlers responding to Beardsley’s bug submission basically said the company does not develop patches for older versions of Android. However, Google is apparently open to receiving patches from those reporting vulnerabilities. The incident handlers added that other than alerting original equipment manufacturers of a bug, Google will not take any further steps to patch or mitigate problems on Jelly Bean and older versions of Android.

Google’s Reasons

Google’s reasoning is reportedly based on the fact that it no longer certifies third-party devices that include the Android browser, Beardsley wrote. Google leaves it up to original equipment manufacturers and carriers to ensure their devices are properly patched. Generally, when Google receives an Android vulnerability report, it provides quick security updates for Nexus devices, which it controls. It also ensures future releases of Android are free of the reported problem.

However, in all other situations, the company has maintained that the best way to ensure continued support is for users to upgrade to the latest versions of the Android OS.

“To put it another way, Google’s position is that Jelly Bean devices are too old to support — after all, they are two versions back from the current release, Lollipop,” Beardsley said.

Image Source: Flickr

More from

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Is AI saving jobs… or taking them?

4 min read - Artificial intelligence (AI) is coming to take your cybersecurity job. Or, AI will save your job. Well, which is it? As with all things security-related, AI-related and employment-related, it's complicated. How AI creates jobs A major reason it's complicated is that AI is helping to increase the demand for cybersecurity professionals in two broad ways. First, malicious actors use AI to get past security defenses and raise the overall risk of data breaches. The bad guys can increasingly use AI-based…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today