Google has opted out of patching loopholes and security updates to its ‘WebView’ system for Android Jellybean and prior versions. On Jan 12, 2015, independent researchers Rafay Baloch (of Rafay’s Hacking Articles) and Rapid7’s Joe Vennix who have been pen testing into Android’s ‘WebView’ reported 11 security exploits. These 11 exploits affect Android 4.3 and prior Android 4.3 based developed apps.
A group of researchers mailed about these flaws and Google quoted back-
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
So let’s find out What is ‘WebView’? and What Jellybean users must do to minimize the chances of exploitation?
What is Android System WebView?
If you’re browsing on your smartphone besides Google Chrome and FireFox then probably you’re on Android WebView.
WebView is the core component used to render web pages on Android devices. It was replaced in Android 4.4 KitKat with a more recent Chromium-based version of WebView, used by the popular Chrome browser. In Android 5.0, WebView was dissected as a separate app only to provide security patches directly from Google Play Store. In earlier versions to patch up such things firmware update was required, now things go differently from Android Lollipop. If any security patches are required Google can bust them pushing an App update over Play Store.
Why Stop fixing?
The main reason Google withdraw its support for aged versions is, fixing these loose nuts cost Google a whole new firmware builds. Instead of fixing the code over again Google encourages upgrade to the younger deserts. Anyhow, Google is still ready to patch up if anyone submits the fixes. Now, this is only possible with the support of OEMs as they need to push fixes to all their old-age devices. Modernisation is inevitable and hence these fixes are ignored. After all, things need to move on.
What should Jellybean and prior users do?
According to Metasploit, a good share of users are ported with Android Jelly bean and it will take a lapse of 2 years to cut down those noticeable shares. Some developers believe Google already fixed those security flaws and they name this clever fix as Android 4.4 KitKat. So if you’re here and still on Jellybean these are must follow tips if you don’t want to get exploited.
- Update your Apps to latest versions
- Use Chrome or Firefox browsers
- Uninstall all 3rd party Apps
- Only Install Apps from trusted developers
- Never browse on native App browser (link defaults to Chrome browser)
For the rest of the world don’t just relax on your couch. Have the latest version of Android WebView System on your device because we never know what fixes are yet to be done in KitKat or later versions. As of now stick to Google and have latest updates from Webview
So what do you think about Android WebView? Is Google right ignoring such issue or it must fix them ASAP? Share your views in the comments below.