Android Operative Systems, use a core component called WebView to render web pages. Due of its nature, this component is predictably under constant scrutiny from security experts to locate possible risks and vulnerabilities to be reported to Google. Tod Beardsley, Rapid7’s security researcher and member of the Metasploit project, posted that one of these reports was followed by Google’s incident handlers stating that the newfound vulnerability won’t be patched since it concerns a version of WebView prior to the 4.4 (or KitKat):
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
Beardsley says, after some back and forth with the incident handlers, that the reason that brought Google to the decision of not develop more patches for 4.3 and prior versions of WebView is that they “no longer certify 3rd party devices that include the Android Browser”. Or, in other words, it’s just too old.
That makes sense actually. The current latest version of Android is the 5.0 (Lollipop). Prior to that there is the 4.4 (KitKat). Google is, then, dropping the patches for versions of WebView that are at least 2 versions older than the current one. Considering that some vendors drop support for the older version of a software piece as soon as the new one is out, this should not surprise anyone. But Android is an exception to the rule.
At this moment, the most used Android OS version, is Jelly Bean. Lollipop is installed on only the 0,1% of the Android devices currently on the market while KitKat is installed on 39,1% of devices. This leaves out more than 60% of Android devices that will now not receive support and patches on WebView. That means that 930 millions of devices are vulnerable to new security risks (including the one Beardsley got his response for) and will not get security patches unless a third party decides to go ahead and develop one.
For software companies, support of legacy systems can be really resource consuming and more often than not hardly justifiable. That said, when almost two out of three users use one of these systems, it’s hard to back the decision of dropping the support.
What you think of Google’s decision? Do you use an older version of Android? Are you worried by the lack of future patches? Let us know in the comments.