Google won't fix vulnerability affecting 60% of Android phones

Some time ago, Google caused an uproar by disclosing a Windows vulnerability two days before Microsoft released a patch to fix it. Now Google has also been pushed to the forefront due to problems with its own software updates.

Despite several previous warnings, a security vulnerability has been exposed again in the WebView component in Android 4.3 and earlier versions. WebView is an embeddable browser control solution that uses a version of the WebKit rendering engine used in Android applications as its operating basis.

Android 4.4 and 5.0 versions of WebView use Blink instead of WebKit, so they are not affected by this incident. However, according to Google's own statistics, about 60% of Android users are still using 4.3 and earlier versions of the operating system. In view of this, the security vulnerability disclosed this time will have a widespread and serious negative impact. The normal processing process is to report the vulnerability to Google, and Google will develop a patch to fix it and then release it as part of the Android open source project.

However, according to Tod Beardsley, developer of the Metasploit security testing framework, this time things will be different. Although the Android security team has been alerted to the issue, their feedback is:

If the affected version is earlier than 4.4, we will generally not develop a fix ourselves, but we welcome other parties to provide patches that are worth considering. Other than notifying OEM partners, we will not do anything substantive to reports that state that 4.4 and earlier versions are affected but do not include actual patches.

Google will inform all OEM partners about this issue, but has no intention of fixing it. When further questioned, the Android development team gave the following response:

If the affected version is earlier than 4.4, we will generally not develop a fix ourselves, but will alert partners who may be affected. If a fix is ​​included in the report or AOSP obtains relevant response code, we will be happy to provide it to partners.

After further verification, the Android development team stated that components such as the media player in the Android 4.3 version will receive backend patches, but WebView is completely dependent on itself. Although Google does not seem to have given a clear conclusion on its elimination, Android 4.3's WebView has almost reached the end of its life cycle in essence. The WebView control mechanism is still in effect on most Android phones, and even on some Android phones currently on sale, so its current lack of support and security guarantees is indeed difficult to reassure.

Worse, Google doesn't even provide much information about Android security vulnerabilities that are reported or fixed. Beardsley wrote that the only information Google provides for fixed security vulnerabilities is the commit information when the corresponding fix is ​​integrated into AOSP. When a vulnerability is not fixed, such commit information naturally no longer exists, which means that users have no public record of the problem at all.

Of course, Google's patching of Android 4.3 and earlier versions is only the first step to solve the problem. OEMs will then need to incorporate the patches into their own firmware update solutions, and mobile operators will need to verify and further customize these firmware updates. Therefore, in the actual implementation process, there are still a large number of Android users who will not get these fixes at all. But it should be emphasized that without this first step taken by Google, even this slight possibility of solving the problem will disappear.

But in the past, these challenges have not stopped Google from developing security updates; just last April, the company provided a fix for the Heartbleed vulnerability in Android 4.1. Although OEM partners have imposed many restrictions on the delivery of this update, at least users have been given a solution to choose from. The WebView issue exposed this time simply does not have any form of countermeasure.

In principle, most devices running Android 4.3 and earlier should be able to receive a large update to 4.4 or even 5.0, which would remove vulnerabilities. However, the reality is far less optimistic, and major OEMs are often reluctant to adopt such large updates; based on our understanding of smartphone manufacturers, it is simply unrealistic to expect them to adopt the latest system version purely for security fixes. Of course, the OEM's position is understandable. After a mobile device manufacturer releases a customized version of Android 4.3 on a phone, it will often find that it is much easier to release a new 4.3 patch for the existing customized version than to update to Android 4.4 or 5.0. Staying on the existing system version can keep changes to a minimum, so the workload requirements can be effectively reduced.

Google's position is more complicated, as they have no ability to force updates to the platform on their phones. Just as Windows Update is not available on Android phones, Google has no ability to push updates directly to the operating system; they must rely on OEMs and network operators to implement source code changes and distribute them to users. In contrast, Apple and Microsoft both have official channels for direct updates to their mobile operating systems.

In fact, the only thing Google can do is update apps on mobile devices through the Play Store infrastructure. With each new version of Android, Google packs more features into the installer, including solutions like Google Play Services and the Google Play Store that run on top of the core Android operating system. These installers can be updated and maintained through the Play Store system, and in Android 5, the WebView control mechanism is also included in this category. So from now on, the WebView component can be updated under Google's direct management - but this security issue will continue to exist in versions where WebView is still part of the core open source Android operating system. By the way, according to Google's own estimates, Android 5.0 currently serves less than 0.1% of all Android users.

This improvement in service and maintenance mechanisms has also become an important reason for Google to add more features to APK - that is, outside the Android operating system. However, such measures still have no effect on up to 60% of Android users, who continue to be exposed to serious security threats every time they click on a link and access it through the built-in browser of the Twitter client.

Original English text: http://arstechnica.com/security/2015/01/google-wont-fix-bug-hitting-60-percent-of-android-phones/