Google has decided to end support for older versions of Android WebView, the default web browser on 'droid devices.
This will apply to users running 4.3 or earlier versions of its Android smartphone OS.
It has decided instead to invite securobods to fix the problem, saying it "welcome(d) patches with the report for consideration"...
The move affects 60 per cent of Android’s active user base.
"Google's reasoning for this policy shift is that they 'no longer certify 3rd party devices that include the Android Browser', and 'the best way to ensure that Android devices are secure is to update them to the latest version of Android'," explained Tod Beardsley, engineering manager at Rapid7, the developers of the Metasploit penetration testing tool. "On its face, this seems like a reasonable decision. Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds."
WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView.
As a result of the change, Google will no longer be providing security patches for vulnerabilities that only affect versions of Android's native WebView prior to 4.4. Jelly Bean (versions 4.0 through 4.3) and earlier will no longer get security patches for WebView from Google, according to Android security incident handlers.
Chris Boyd, a malware intelligence analyst at Malwarebytes, argued that the change wouldn't make much practical difference to the Android security threatscape.
“Despite the potential risk of exploits and drive-by attacks, the most likely method of attack where Android is concerned is still fake / rogue application installs - typically by sites asking the device owner to allow installs from 'unknown sources'," Boyd explained.
“If they avoid sites offering up free versions of popular apps and games and always read the reviews on the Play store then most people will be as safe as they can be, given this new approach to updates.
"It is unusual to expect researchers who discover vulnerabilities to provide their own patch alongside it, hoping the Android team may include it at a later date - and it remains to be seen if this approach will be a success.” ®