Security researchers have developed a number of exploits that target WebView in older versions of the Android mobile operating system. Despite the fact that about 60 percent of the mobile devices currently in use rely on the vulnerable WebView, Google has confirmed it has no plans to develop a patch or update to protect them.
Todd Bearsley explained in a post on the Rapid7 Security Street blog that Metasploit currently ships with 11 exploits for WebView. He clarifies, “WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.”
Google used to develop fixes for these older bugs but apparently no longer supports the “legacy” versions of Android—or at least WebView — on older releases of Android. According to Beardsley, the new official position of Google is that it will not develop patches for WebView issues affecting Android prior to version 4.4 (KitKat), but it will accept patches from researchers, or notify OEM partners when a new vulnerability is discovered.
“Even if Google did provide a patch, it would not immediately help those "60 percent" as the final "mile" to the customer handset must be provided by the phone manufacturers or OEMs,” explained Garve Hays, solution architect with NetIQ. “In fact, the OEMs took consumer money, not Google (unless you consider Nexus handsets). So the OEMs should stand by their customers and provide a patch, or an upgrade path to KitKat or better.”
That’s true, and it highlights the larger issue with Android. Google developed Android, but it’s an open source platform with a complex web of parties involved. Consider the fact that Android 4.4 KitKat was released well over a year ago in October of 2013, and yet it currently makes up less than 40 percent of the total Android devices. The latest version—Android 5.0 Lollipop—has been available since the beginning of November, and hasn’t yet scratched out even one percent of the Android market.
Not all Android devices—even those running the same version of Android—are created equally. Google develops new versions of Android, but then it falls into the hands of the Android device manufacturers and wireless providers where there is often a cumbersome assortment of third-party apps, features, and skins thrown in. That’s why patches to existing versions of Android, or new versions of the Android operating system have to go through extensive tweaking and testing before they’re actually available for users. In many cases, vendors and wireless providers would prefer that customers upgrade to newer devices, so they’re reluctant to dedicate the resources necessary to test and deploy updates on older devices.
Taking all of that into consideration, I can’t say that I blame Google really. Android is a community effort, so it doesn’t seem all that unreasonable for patching it to be the responsibility of the entire community.
If nobody steps up to take responsibility and develop the patches necessary to protect older Android devices, the result is hundreds of millions of vulnerable devices waiting to be exploited. Hays cautions, “This certainly sets the stage for a "long tail" exploit scenario in that unpatched, older versions may be harnessed for nefarious purposes.”
Security researchers have reported exponential growth in the number of mobile malware threats identified in recent years, and almost all of it is developed to target Android. Hopefully the Android community can figure out how to address this issue and make sure patches continue to be developed and offered in a timely manner.