worst flavor of jelly bean

Google stopped patching old Android exploits, but don’t panic

Security researchers are up in arms this morning over Google’s decision to stop patching a core Android component on older devices.

According to Tod Beardlsey, an engineer at security firm Rapid7, versions of Android WebView, a key component of the Android browser that apps use to render webpages, are insecure. (Rapid7’s Metaspoit product catalogs 11 vulnerabilities in Android WebView.) Making things worse, Google has apparently stopped patching the component for older phones — and if you report a vulnerability, Google won’t listen unless you provide a patch yourself.

Beardlsey says that Android’s massive deployment means that “any new bug discovered in ‘legacy’ Android is going to last as a mass-market exploit vector for a long, long time.” It’s as if Microsoft stopped patching Windows XP and Internet Explorer in 2007.

The affected version of Android WebView was ditched in Android 4.4 for a more modern version. The only phones affected are running Android 4.3 and below — so most Americans with recent Android devices are in the clear.

Android Breakdown in Jan 2014

Still, a lot of phones run an older version of Android. According to Google’s own statistics from January 2015, nearly 46 percent of Android devices are running a version of Jelly Bean, which saw its final release in October 2013. Fourteen percent of devices are running on an even older version of Android.

Why would Google stop patching a key part of hundreds of millions of devices? One hint is in the security email sent to Beardlsey from [email protected]:

Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

Google doesn’t have complete control over its operating system updates, and even if it were to issue patches for older devices, device makers and carriers would get to decide whether they’d devote the resources to implementing the fix to push it out to customers.

These issues are a main reason why in recent years, [company]Google[/company] has been moving more and more of its contribution to Android into Google Play Services. Google controls when Google Play Services updates, and in many ways, it makes the specific version of Android your phone is running irrelevant.

In fact, in June, Google announced that Google Play Services can deliver security updates, and about 93 percent of Android devices are on the latest version. So although Google might not be able to patch older open-source components — like Android WebView —  of Android on certain older devices, it’s likely Mountain View will be able to push security updates on current devices until the end of their lives. Security is a big reason the Android One program promises two years of updates for cheap phones.

It might not be any comfort to people sticking with phones running Jelly Bean, but Android WebView is no longer baked into the Android operating system. Phones running a recent version of Android usually automatically update the Android WebView component directly from Google Play.

5 Responses to “Google stopped patching old Android exploits, but don’t panic”

  1. Krod Thealmighty

    ok, i’ve got an acer on 4.2.2, and they never update anything, so does this mean i’ll be worse off?

    and anyway my phone has google play services running so do updates to this cover me?

    thanks for any and all answers, comedians, internet abusers, and the helpful, all welcome

  2. Hi Kif –
    I’m having trouble following the “Don’t Panic” advice here. Yes, it’s good that future versions of Android will see WebVew updates via Play mechanisms. But, as you state at the end of your article, I don’t understand how that’s helpful to the largely stuck install base of Jelly Bean users, both present ans future.
    By future, I mean the consumers who buy a Jelly Bean phone today, which is still on the shelves and available from online retailers.
    I feel like we can stop panicking in 3-5 years when Jelly Bean is the vanishing minority. Today? Some panic seems justified.
    -Tod Beardsley, Rapid7

  3. Because I was elected “Lord of the Internet”, I’m giving Google 90 days to patch this. If they don’t meet the 90 days I will publish the exploit and detailed instructions on how to leverage it.