Google puts 60 percent of Android users at risk with WebView security changes
-
Send to Kindle
Google has ended WebView extension security support on Android versions Jelly Bean and below, leaving over 60 percent of its users at risk.
Tod Beardsley, engineering manager at Rapid7, reported the cut off in a blog post warning that the change will affect as many as 930 million Android users.
"Google is now only supporting the current named version of Android, Lollipop, or 5.0, and the prior named version, Kitkat, or 4.4. Jelly Bean, versions 4.0 through 4.3 and earlier, will no longer see security patches for WebView from Google," read the post.
"This leaves the remaining 60 percent or so as 'legacy' and out of support for security patches from Google. In terms of solid numbers, it would appear that over 930 million Android phones are now out of official Google security patch support."
At the time of publishing Google had not responded to V3's request for comment on the cut off.
Beardsley told V3 that the move will inevitably draw the attention of criminals and lead to a fresh wave of exploits targeting the unsupported Android versions.
"Android Jelly Bean, and prior phones, are a massive temptation for any criminal enterprise. It's a huge installed base that's designed to interact with the internet, and it holds the personal and social details of hundreds of millions of people," he said.
"I'd say that when the chance of a patch reaching these end points goes from low to none, it's a signal to criminals that they have plenty of time and incentive to take advantage of any security vulnerability they discover."
He added that the lack of support will be particularly dangerous for businesses using Android.
"As far as the business impact - many organisations have an unwritten culture that white collar employees should be reachable and capable of doing work from their phone 24/7," Beardsley said.
"If the business is relying on that employee to use their own phone, again, they should at least provide enough training so that the employee doesn't accidentally expose confidential documents via a known-vulnerable device."
Chris Boyd, malware intelligence analyst at Malwarebytes, noted that, despite the seriousness of the cut off, there are other more pressing threats facing Android.
"Despite the potential risk of exploits and drive-by attacks, the most likely method of attack where Android is concerned is still fake/rogue application installs - typically by sites asking the device owner to allow installs from unknown sources," he said.
Beardsley shared Boyd's sentiment, noting that the cut off is indicative of wider problems in Android and a lack of security awareness within most firms.
"For security professionals, the fragmentation issue is a headache for sure. Security professionals are still grappling with the fact that employees bring untrusted, unmanaged devices into the office and connect with business networks all the time," he said.
"It would behove the IT security staff to train employees on the basics of personal network security; at least, people should be able to identify that their phone is vulnerable today to certain classes of attack, and will remain so for a while."
The news follows efforts by Google to bolster Android's security with a number of security upgrades as a part of the 5.0 Lollipop update.
Key updates include a Security Enhanced Linux Enforcing Mode and upgraded encryption services.
For a full look at Android 5.0 Lollipop and its features check out V3's in-depth review.
View Alastair's Google+ profile
