Google’s Android gets plenty of unwanted recognition for attracting malware, but given that it’s used by more than one billion of the world’s population while being famously open source, it’s an inevitability that comes with the territory. The search company behind the ubiquitous mobile software faces a constant battle to ensure that security holes are fixed, bugs are squished and malicious attacks are thwarted, we’re led to believe, yet according to a new report, the Big G has stopped pushing WebView updates that may leave some 900 million users susceptible to attack.
When talking Android user base, we’re talking about a large portion of the connected world, and like Facebook and other services catering to the billions, Android has to take on the huge responsibility of preserving privacy and security.
Yet WebView, which is the little bit of software that lets you view Web pages in-app rather than always jumping to Chrome or Firefox, is no longer in receipt of security updates from Google on Android versions predating KitKat (4.4.x), and given WebView’s reputation for being generally flawed and insecure, the situation seems perilous.
So those on Android Jelly Bean or lower, a percentage that equates to around two-thirds of the total user base, will not be covered by Google for flaws present and future as far as WebView is concerned.
To put things into further perspective, WebView is widespread and used by many apps, to the point where some hackers will concentrate solely on exploiting it for unscrupulous gain. The fragmented nature of Android is bad enough, but for Google to cease security updates for what is an integral component of Android’s wider infrastructure is nigh-on disgraceful. As security research firm Rapid7 noted to Forbes:
WebView, for many, many attackers, is Android, just as Internet Explorer is usually the best vector for attackers who want to compromise Windows client desktops
Given that WebView harbors the ability to interact with other apps, it’s an appealing route for hackers to take, but the alteration in Google’s policy means that only exploits in WebView Android 4.4 will be officially patched.
With Lollipop 5.0 and up, WebView updates are automatically streamed from the Play Store, but given the very meager reach of Google’s latest software, the lack of security updates for Jelly Bean and earlier could spell danger for hundreds of millions.
It’s worth adding, to close, that Google will consider patches made to fix WebView issues on earlier versions of Android, which is of some comfort, but given that we’re talking here of a Google platform, it shouldn’t be down to independent security experts and firms to clean up the mess.