Google's New Android Patch Policy Puts 939 Million Users at Risk: Report

Google has reportedly stopped providing security updates for WebViewon Android version Jelly Bean and below. A security research publication, Rapid7 has claimed that the Mountain View giant had stopped providing patches for WebView within Android 4.3 or below starting late last year. The report even suggests that the company currently only supports WebView in Android 5.0 Lollipop and Android 4.4 KitKat running devices.

Forbes reports, "Without openly warning any of the 939 million affected, Google has decided to stop pushing out security updates for the WebView tool within Android to those on Android 4.3, better known as Jelly Bean, or below."

Rapid7 engineering manager Tod Beardsley told Forbes, "It's also the favoured vector for attack for nearly any remote code execution vulnerability in the mobile OS. WebView, for many, many attackers, is Android, just as Internet Explorer [Microsoft's browser] is usually the best vector for attackers who want to compromise Windows client desktops."

"WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser," Rapid7 explains.

According to the report, Rapid7's Joe Vennix and Rafay Baloch, an independent researcher, discovered the potential vulnerability in Android 4.3 Jelly Bean or below and contacted Android's security team who responded: "If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."

The move seems to be Google's new policy to handle vulnerabilities on the Android 4.3 or below where it will come up with patches only if a user not only reports the vulnerability within older Android version's WebView, but also provides a solution. Rapid7's Beardsley points out, "I've never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google's position. This change in security policy seemed so bizarre, in fact, that I couldn't believe that it was actually official Google policy."

Android's security team added, "If patches are provided with the report or put into AOSP we are happy to provide them to partners as well."

To add some context, Google's latest distribution data of different versions of Android has revealed that Android 5.0 Lollipop, the latest publicly available version of Google's mobile and tablet operating system, is powering less than 0.1 percent of Android devices while Android KitKat has a total share of 39.1 percent. The distribution data of different versions of Android also revealed that Android Jelly Bean still powers the greater part of Android devices, with a combined percentage of 46 percent.