Google has indicated that it will no longer develop security patches for the WebView renderer in versions of Android prior to 4.4 'KitKat' - leaving hundreds of millions of users at risk of attack.
Google regularly releases new editions of its Android mobile operating system, each one of which gets a friendly dessert-themed codename. The latest is Android 5.0 Lollipop, the successor to Android 4.4 KitKat. Each release brings with it new features, such as the more efficient Android RunTime (ART) to replace the old Dalvik runtime, and also fixes for numerous security holes - in common with any complex software.
Tod Beardsley of the Metasploit project has, however, reported something Google has not trumpeted: it is no longer developing security fixes for any but the last two releases of its operating system. Users on Android 4.3 Jelly Bean and older - the most recent version of which was released in October 2013, and is estimated to account for just shy of a billion devices globally - are, therefore, at increasing risk of attack.
In a blog post
, Beardlsey reports on a discovery by security researcher Rafay Baloch of a flaw in the WebView renderer of Android 4.3 and older. Responding to Baloch's discovery, Google's security team explained: 'If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
The message is clear: Google will not develop patches for security vulnerabilities in the WebView render supplied with versions of Android older than 4.4 - but will consider releasing patched software if the person or organisation reporting the flaw writes the patch for them.
'I've never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google's position,
' Beardsley wrote, relaying a similar response he had received from Google confirming the policy. 'When asked for further clarification, the Android security team did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches.
'Google's position is that Jelly Bean devices are too old to support - after all, they are two versions back from the current release, Lollipop,
' Beardsley explains. 'On its face, this seems like a reasonable decision. [But] the idea that "pre-KitKat" represents a legacy minority of devices is easily shown false by looking at Google's own monthly statistics of version distribution. As of January 5, 2015, the current release, Lollipop, is less than 0.1% of the installed market, according to Google's Android Developer Dashboard. It's not even on the board yet. The next most recent release, KitKat, represents about two fifths of the Android ecosystem.
'This leaves the remaining 60% or so as "legacy" and out of support for security patches from Google. In terms of solid numbers, it would appear that over 930 million Android phones are now out of official Google security patch support, given the published Gartner and WSJ numbers on smartphone distribution.