Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

If you’re running Android 4.3 or earlier, you’re pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole.

For those that don’t already know, WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected.

jellybean nexus
(Source: Maulim/Wikimedia Commons)

Google responded to Beardsley on January 12 with the following statement:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

What’s most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn’t seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.

On Friday, Google’s Adrian Ludwig took to Google+ to further explain his company’s position on patching vulnerabilities in older versions of Android. While Google still has no plans of extending an olive branch to users running Android 4.3 or earlier, Ludwig did give some insight into why this decision was made.

“Keeping software up to date is one of the greatest challenges in security,” Ludwig explained. “Google invests heavily in making sure Android and Chrome are as safe as possible and doing so requires that they be updated very frequently.”

Ludwig went on to explain that backporting a patch would be a herculean effort. “WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.” We’re sure that Microsoft and Apple would have loved to throw that excuse out when complying with Google’s 90-day window for reporting exploits via Project Zero.

Only Android 4.4 KitKat and Android 5.0 Lollipop users are safe. However, Lollipop market share is too low to even show up in Google's stats.

Ludwig would further explain that users on Android 4.3 and older should simply use a browser that is updated through Google Play in order to avoid the WebView vulnerability (he specifically points out Chrome and Firefox).  “Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future it will also protect you against any issues that might be found in the future."

For those savvy enough to install a browser other than the default (like Chrome or Firefox) on your Android 4.3 or earlier device, it appears that the exploit can be easily sidestepped. But as for the vast majority of people that just stick with the default browser and use their devices for playing Candy Crush, keeping up with friends on Facebook, or scouting new recipes on Pinterest; they will likely be the ones most at risk from nefarious hackers. And that’s what most unsettling about Google’s response to this matter.