Reports: Google Stops Patching Old Android Browser Vulnerabilities

by Ostatic Staff - Jan. 13, 2015

Around the time that Google went into the handset business itself, there were a lot of questions about how the company would treat Android in terms of protecting its own competitive advantages with Android devices while preserving Android as an open platform for others to leverage. Some suggested that Google devices would get the advantage of newer releases of Android, while other devices would have to wait.

In a different spin on these issues, security researchers are raising red flags over the fact that Google will seemingly no longer no longer fix security flaws in the browser in the oldest versions of Android. According to Tod Beardlsey, a security researcher at Rapid7, versions of Android WebView, which helps the Android browser that apps use to render webpages, are insecure.

The affected issue pertains to Android WebView running on Android 4.3 and below. The component in question was done away with when Android 4.4 arrived. 

Still, Android is such a prevalent platform now that Google is bound to face the same issues that Microsoft faced as it phased out support for widely used versions of Windows over the years.

Beardsley writes:

"Google will no longer be providing security patches for vulnerabilities reported to affect only versions of Android's native WebView prior to 4.4. In other words, Google is now only supporting the current named version of Android (Lollipop, or 5.0) and the prior named version (KitKat, or 4.4). Jelly Bean (versions 4.0 through 4.3) and earlier will no longer see security patches for WebView from Google, according to incident handlers at asked for further clarification, the Android security team did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches...Google's reasoning for this policy shift is that they 'no longer certify 3rd party devices that include the Android Browser,' and 'the best way to ensure that Android devices are secure is to update them to the latest version of Android."

People are bound to disagree about these changes. After all, if you use iOS or iTunes, don't they nag you to upgrade to the latest version for best results? Adobe's tools are pretty diligent about doing that as well.

When it comes to security issues, though, the issue is the size of the vector affected by a vulnerability, and it sounds like there are going to be a lot of vulnerable Android devices out there.

You can read more about Beardsley's findings here