Google Refuses to Patch Android WebView Bug, Leaves 950 Million Devices Vulnerable
Owning a smartphone running Android 4.3 Jelly Bean or an earlier versions of Android operating system ?? Then you are at a great risk, and may be this will never end.

Yes, you heard right. If you are also one of millions of users still running Android 4.3 Jelly Bean or earlier versions of the operating system, you will not get any security updates for WebView as Google has decided to end support for older versions of Android WebView – a default web browser on Android devices.

WebView is the core component used to render web pages on an Android device, but it was replaced on Android 4.4 KitKat with a more recent Chromium-based version of WebView that is also used in the Chrome web browser.

Just a day after Google publicized a bug in Windows 8.1 before Microsoft could do anything about it, Tod Beardsley, a security analyst from Rapid7 who oversees the Metasploit project, discovered a serious bug in the WebView component of Android 4.3 and earlier that possibly left millions of Android smartphone users vulnerable to malicious hackers.

Android KitKit 4.4 and Lollipop 5.0 are not affected by the vulnerability, but over 60 percent of Android users – close to a billion people (950 Million) – still use the older version of Android 4.3 or below, which clearly states that the bug still affects more than a lot of people.

However, the response from Google after Beardsley notified the vulnerability made him and everyone of us stunned. Well, the tech giant won't patch the vulnerability in the WebView at all. The quote from Google to Beardsley is as follows:
"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."
As a result, only devices running KitKit 4.4 and Lollipop 5.0 will receive security updates for WebView from Google and the remaining Android versions will remain unpatched or rely on fixes from third party developers. The company has said that it will welcome third-party patches.
"Google's reasoning for this policy shift is that they 'no longer certify 3rd party devices that include the Android Browser', and 'the best way to ensure that Android devices are secure is to update them to the latest version of Android'," explained Beardsley.
"On its face, this seems like a reasonable decision. Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds."
In other words, in case if a hacker or a cyber criminal finds a way to exploit WebView on older versions of Android OS, Google will not release any patch for the vulnerability itself. However, if any outsider develops a patch, Google will incorporate those patches into the Android Open Source Project code and will further provide them to handset makers. This is where the company's responsibility get over.

Though, Google says that WebView support in older versions of Android operating system is baked firmly into the operating system in such a way that it makes much harder for Google to create a patch to affected devices. This issue has been mitigated by the search engine giant in newer versions of Android by dropping WebView from the core OS and incorporating it into the Google Play Services app.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.