Report claims Google not patching older versions of WebView leaving users exposed

  • Thread starter Thread starter Jeff Causey
  • Start date Start date
J

Jeff Causey

Guest

A new report that surfaced today claims that Google has ended support for WebView on Android devices running Android 4.3 or older, a move that could leave users exposed to malicious attacks. WebView is considered a “core component” of Android and is used by applications to display web pages without opening an actual browser session. Starting with Android 5.0 Lollipop, Google decided to unbundle WebView from the core system so updates could be pushed out via the Google Play Store.

The source of the news regarding a lack of updates for Android versions 4.3 or older came from a response by Google’s Android security team to a report of a bug in the AOSP browser which is based on WebView. According to the response to Joe Vennix of Rapid7 and independent researcher Rafay Baloch:


“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Taken at face value, that response seems to suggest that Google is relying on third parties to develop patches for problems in Android 4.3 or older. If those third parties can develop a solution, Google will push it out, but Google is not working on solutions themselves. Google has declined thus far to issue a response or comment regarding this apparent development.

It is unclear how big a problem this issue may be. On the one hand, some security professionals like Tod Beardsley with Rapid7 claim, “WebView, for many, many attackers, is Android, just as Internet Explorer [Microsoft's browser] is usually the best vector for attackers who want to compromise Windows client desktops.” Rapid7 provides 11 WebView exploits in their Metasploit penetration testing tool. Those same exploits could be used by unethical or criminal hackers to try to launch an attack on Android devices.

On the other hand, security consultant Andreas Lindh and others note that hackers who want to use WebView to launch an attack face some hurdles. High on the list is the need to get exploit code onto a web page that is being displayed by a targeted app or to somehow trick users into visiting a page with exploit code included in it. The latter option seems like the most probable attack vector.

While the issue gets sorted out and security professionals wait to see whether Google may issue clarifying information about their end-of-life plans for WebView in older versions of Android, estimates put the number of Android devices running Android 4.3 or older at close to 1 billion out of the 1.5 billion devices in the hands of customers.

source: Forbes


Come comment on this article: Report claims Google not patching older versions of WebView leaving users exposed

ff5f52af8bbcdd5c27b0385bd5372c90._.gif


News via TalkAndroid
 

Similar threads

C
Google app keeps crashing on Android and taking out other apps – here’s how to fix it
Replies
0
Views
80
Chris Smith
C
C
Google just announced exciting new features coming to older Android versions
Replies
0
Views
70
Chris Smith
C
C
There’s an easy fix for the Android apps that keep crashing on your phone
Replies
0
Views
76
Chris Smith
C
C
How to install Android apps from Google Play on Windows 11
Replies
0
Views
136
Chris Smith
C
C
Google Maps eco-friendly routes are rolling out on Android and iPhone
Replies
0
Views
123
Chris Smith
C
Back
Top