An estimated 930 million devices will be left vulnerable to hack attacks as Google announced it will cease providing patches for pre-KitKat WebView bugs in Android.
WebView is a core component used for rendering Web pages on an Android device. The more recent Chromium-based version of WebView was introduced for Android version 4.4 (KitKat), but that still leave a large number of machines exposed.
Latest Android distribution figures from Google indicates that 46 per cent of Android devices still run on Jelly Bean, another 39.1 per cent use KitKat. Gingerbread runs on about 7.8 per cent of handsets, Ice Cream Sandwich, 6.7 per cent and Froyo about 0.4 per cent.
WebView is used in about 930 million Android devices, Tod Beardsley, security researcher for IT security and data analytics firm Rapid7 said in his blog post on Metasploit. Numerous flaws in the component have been discovered by researchers over the years.
“Unfortunately, this is great news for criminals for the simple reason that, for real bad guys, pretty much everything is in scope, “he said.
Beardsley followed up with Android and got this response:
“If the affected version (of WebView) is before 4.4, we generally do not develop patches ourselves but do notify partners of the issue…if patches are provided with the report or put into AOSP (Android Open Source Project) we are happy to provide them partners as well.”
“Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch,” the Android team said.
The Android team said other pre-KitKat components, such as multi-media players will continue to get back-ported patches.
Since Android is open source, Beardsley noted that “it is not impossible” for handset manufacturers, service providers retailers and even enthusiasts to come up with their own patches. However, he said it impossible to say how often such patches would become available.
The security researcher also said Google’s decision not to support an old OS like Jelly Bean “seems like a reasonable decision” but still it is a move that leaves millions or users vulnerable as the company’s own monthly stats show a huge install base for older Android OSs.
The data also implies that vulnerable users are those that might find it difficult to upgrade to a newer system because of budget constraints. The latest Google Nexus phone costs about US$660 while the first Android Phone sells for under $70 on Amazon
“As a software developer, I know that supporting old versions of my software is a huge hassle,” Beardsley said. “I empathize with their decision to cut legacy software loose. However a billion people don’t rely on old versions of my software to manage and safeguard the most personal details of their lives.”