Google stopped patching old Android exploits, but don’t panic

Security researchers are up in arms this morning over Google’s decision to stop patching a core Android component on older devices.

According to Tod Beardlsey, an engineer at security firm Rapid7, versions of Android WebView, a key component of the Android browser that apps use to render webpages, are insecure. (Rapid7’s Metaspoit product catalogs 11 vulnerabilities in Android WebView.) Making things worse, Google has apparently stopped patching the component for older phones — and if you report a vulnerability, Google won’t listen unless you provide a patch yourself.

Beardlsey says that Android’s massive deployment means that “any new bug discovered in ‘legacy’ Android is going to last as a mass-market exploit vector for a long, long time.” It’s as if Microsoft stopped patching Windows XP and Internet Explorer in 2007.

The affected version of Android WebView was ditched in Android 4.4 for a more modern version. The only phones affected are running Android 4.3 and below — so most Americans with recent Android devices are in the clear.

Android Breakdown in Jan 2014

Still, a lot of phones run an older version of Android. According to Google’s own statistics from January 2015, nearly 46 percent of Android devices are running a version of Jelly Bean, which saw its final release in October 2013. Fourteen percent of devices are running on an even older version of Android.

Why would Google stop patching a key part of hundreds of millions of devices? One hint is in the security email sent to Beardlsey from [email protected]:

Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

Google doesn’t have complete control over its operating system updates, and even if it were to issue patches for older devices, device makers and carriers would get to decide whether they’d devote the resources to implementing the fix to push it out to customers.

These issues are a main reason why in recent years, [company]Google[/company] has been moving more and more of its contribution to Android into Google Play Services. Google controls when Google Play Services updates, and in many ways, it makes the specific version of Android your phone is running irrelevant.

In fact, in June, Google announced that Google Play Services can deliver security updates, and about 93 percent of Android devices are on the latest version. So although Google might not be able to patch older open-source components — like Android WebView —  of Android on certain older devices, it’s likely Mountain View will be able to push security updates on current devices until the end of their lives. Security is a big reason the Android One program promises two years of updates for cheap phones.

It might not be any comfort to people sticking with phones running Jelly Bean, but Android WebView is no longer baked into the Android operating system. Phones running a recent version of Android usually automatically update the Android WebView component directly from Google Play.