Google re-emphasizes upgrade policy, most Android devices continue to be excluded from updates

[[127122]]

Due to the large amount of code that needs to be managed, Google confirmed that it will not patch the WebView component on up to 60% of Android hardware.

Google on Friday confirmed its decision to stop patching WebView, a core component in Android versions prior to 4.4 "KitKat," saying it was due to concerns about the size of the codebase and the potential security risks involved in the fix.

"Until recently, we have supported the version of WebKit used by WebView in Android 4.3 and earlier," Adrian Ludwig, lead security engineer on the Android team, wrote on Google+. "But WebKit alone is over 5 million lines of code, and hundreds of thousands of developers are adding tens of thousands of contributions every month. So applying a vulnerability patch to a branch of WebKit that is more than two years old is likely to affect important parts of the code without actually protecting security."

Ludwig's comments come in response to a surprising finding earlier this month by Tod Beardsley, an engineering manager at security solutions provider Rapid7, who said Google's security team will no longer patch security vulnerabilities in WebView in Android 4.3 and earlier, the previous version of KitKat known as Jelly Bean.

WebView powers the Android browser in Jelly Bean - which Google replaced with Chrome in KitKat - and is what apps call when displaying web pages in KitKat and earlier. (The next big change for WebView came with version 5.0 of the Android operating system, 'Lollipop').

Because WebView not only works in the core of Google's mobile browser but is also deeply called by various applications, any security vulnerabilities in it may pose a serious threat to users, Beardsley reiterated in a blog post published on January 12 this year and in an interview with Computerworld on the same day.

"WebView is the root of Android's attack vector," Beardsley added. "If I were an attacker, I would create a website using WebView and hope that the victim would click on it."

According to Beardsley, the Android security response team first responded to the vulnerability report in October last year with the content "We will not release any more fixes for WebView." Beardsley used his blog to negotiate with Google, hoping that the latter would change its stubborn attitude and start providing fixes for WebView in older versions of Android. After all, Google itself has promised that WebView still supports more than 60% of Android devices.

Ludwig confirmed that WebView will not receive any updates on most Android smartphones or tablets, and also gave Google's patch handling policy.

"We will provide fixes to existing Android branches in the Android Open Source Project (AOSP) and directly provide Android partners with at least the last two major versions of the operating system."

How did Beardsley respond?

"First of all, I was very surprised by the response from Google. They don't usually respond to security advisories," Beardsley said in an interview on Friday. But at least now everyone knows whether their version of Android will get security fixes. "This is the first time Google has made a big, public statement about its patching policy," Beardsley added. "I'm glad they've been so clear, even if it doesn't really help."

From July 2012 to July 2013, various branches of Jelly Bean version began to be released one after another, which means that in some cases WebView has received a support cycle of about one year, and the component will continue to have official support for up to the next two years.

Apple, by contrast, continues to support previous generations of its iOS devices, and unlike Google, it delivers patches directly to users. (Last year's iOS 8 still supports the iPhone 4S and later, which went on sale in October 2011.) Meanwhile, Microsoft has been supporting its Windows desktop operating system for 10 years, and Windows Phone 8.1 for three years -- until July 2017.

Google's Ludwig recommends that users running Chrome or Mozilla Firefox on their devices should update them regularly. "Using an updateable browser solution protects us from currently known security issues, and because it can be updated continuously in the future, users will continue to be protected against any known issues in the future," Ludwig explained.

Ludwig also said that app developers should follow security best practices, namely only loading trusted content - including content from the device itself or delivered over HTTPS - or writing their own renderers.

"Some of this is good advice, but some of it is a little weird," Beardsley countered. Yes, he thinks developers should incorporate security practices into their daily work, as Ludwig wrote, but what about the rest? "It's a little unrealistic. There are a lot of apps out there that do nothing but render ads, and I doubt many ad networks use HTTPS," Beardsley pointed out. "And writing your own renderer? That's confusing. I don't know what this has to do with solving the security issues facing users of Android 4.3 and earlier."

Ludwig claimed that Android users have begun upgrading from vulnerable Jelly Bean and earlier versions to newer versions such as KitKat and Lollipop. "Due to the advanced advantages of Android 4.4, the number of users potentially affected by the WebKit security issue is decreasing every day, and more and more users are choosing to upgrade to new versions or directly purchase new devices," Ludwig said.

Google and the major mobile operators responsible for selling Android devices may provide more timely operating system updates in the future, but for now, progress in this regard is still slow. According to statistics collected by Google itself, as of January 5 this year, when the data was last updated, more than 60% of Android devices continued to run Jelly Bean or earlier versions.

Jelly Bean still accounts for 36% of all Android devices, almost the same as KitKat (39.1%), while the recently released Lollipop has not even reached a pitiful 0.1% share.

"There are reasons why people stay on older versions of Android," Beardsley said, citing several common reasons, including financial constraints that prevent them from buying smartphones with newer versions of Android and the fact that most carriers are slow to upgrade because they prefer to sell new hardware rather than update older devices.

"Over the next five years, this will improve, but it will still not be 100% resolved," Beardsley said. "Exploits targeting vulnerabilities in older Android versions will remain active and viable," he added, noting that the situation is similar to the attacks targeting Windows XP vulnerabilities.

"It would be simplistic and crude to just dump 60 percent of Android devices into the legacy category, and I don't think that would do anything positive," Beardsley said.

Ludwig did acknowledge this, though, and Beardsley had previously called Google to urge it to reconsider the issue.

"But they have shown no sign of backing down and the decision is probably a done deal," Beardsley said helplessly.

Original English text: http://www.computerworld.com/article/2875136/google-defends-policy-that-leaves-most-android-devices-unpatched.html