Google on Friday defended its decision to stop patching WebView, a core component of Android, on versions older than 4.4, aka "KitKat," saying that the huge code base is unsafe to fix.
"Until recently, we have also provided backports for the version of WebKit that is used by WebView on Android 4.3 and earlier," wrote Adrian Ludwig, Android lead security engineer on Google+. "But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two-plus-year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely."
Ludwig was responding to claims made earlier in the month by Tod Beardsley, the engineering manager at security vendor Rapid7, who contended that Google's security team would no longer craft fixes for flaws in WebView for Android 4.3 and older. Android 4.3, the predecessor to KitKat, is better known as "Jelly Bean."
WebView powers the stock Android browser included with Jelly Bean -- Google replaced that browser with Chrome in KitKat -- and is called by apps that display a Web page in KitKat and earlier. (A much-changed WebView was spun out of the operating system as of Android 5.0, aka "Lollipop.")
Because it's not only at the heart of Google's mobile browsers, but also heavily used by apps, any exploitable bugs in WebView would pose a significant threat to users, Beardsley said in a blog post of Jan. 12 and an interview with Computerworld the same day.
"WebView is the attack vector for Android," Beardsley said then. "If I'm an attacker, I'll exploit WebView by making a website and hope that people will click on it."
According to Beardsley, the Android security response team first replied to bug reports in mid-October with the "we-don't-patch-WebView-anymore" message. Beardsley used his blog to urge Google to change its collective mind and return to patching WebView in those older editions, which by Google's own admission power more than 60% of all Android devices.
Ludwig confirmed that WebView would not be updated on most Android smartphones or tablets, and spelled out Google's patching policy.
"We provide patches for the current branch of Android in the Android Open Source Project (AOSP) and directly provide Android partners with patches for at least the last two major versions of the operating system [emphasis added]."
"First, I'm surprised that Google responded. They usually don't respond to security stuff," said Beardsley in an interview Friday. But at least everyone now understands where they stand regarding Android fixes. "This was the first time that [the patching policy] has been said out loud," Beardsley added. "I'm glad they're saying it out loud, but it's not super helpful."
The various flavors of Jelly Bean were released from July 2012 through July 2013, meaning that in some cases, WebView was supported for about a year, and the component was supported for just over two at the most.
By comparison, Apple supports several generations of devices with its latest edition of iOS and unlike Google, serves them directly to users. (Last year's iOS 8 supports the iPhone 4S and later; the iPhone 4S first went on sale in October 2011.) Microsoft, meanwhile, supports its Windows desktop operating system for 10 years and will support Windows Phone 8.1 for three years, or until July 2017.
Google's Ludwig recommended that users run Chrome or Mozilla's Firefox, which are updated regularly. "Using an updatable browser will protect you from currently known security issues, and since it can be updated in the future, it will also protect you against any issues that might be found in the future," Ludwig said.
App developers, said Ludwig, should follow security best practices, load only trusted content -- that on the device or via HTTPS -- or write their own renderer.
"That's some good advice and some weird advice," countered Beardsley, agreeing that developers should take Ludwig's heed on security practices. As for the rest? "That's a little unrealistic. There are plenty of apps that do nothing but render ads, and I doubt that many [ad networks use] HTTPS," Beardsley said. "And write your own renderer? Weird. I don't know how this solves the problem for people who are stuck on 4.3."
Ludwig claimed that Android users were being updated to KitKat and Lollipop from the vulnerable Jelly Bean and earlier. "With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices," Ludwig asserted.
Google and the mobile carriers that sell Android devices may be getting better at updating the operating system in a more timely fashion, but the progress has been slow, as Google's own statistics show: More than six out of every 10 Android devices ran Jelly Bean or earlier as of Jan. 5, the last time the numbers were refreshed.
Jelly Bean, for instance, powered 36% of all Android devices, almost as much as KitKat (with 39.1%). And Lollipop's share remained under the 0.1% cutoff for the listing.
"There are reasons why users are on older Android," Beardsley, ticking off the usual, ranging from no money to buy a more up-to-date smartphone with a later version of Android to the foot-dragging by most carriers, who prefer to sell new hardware rather than update old devices.
"In five years, the situation will be better, but it still won't be 100%," Beardsley argued. "There will be an active marketplace for [older Android version] exploits forever," he added, pointing out the still-vibrant market for Windows XP exploits.
"Throwing 60% of all devices into the legacy category, I don't think that's helpful," Beardsley said.
But that's just what Ludwig admitted, Beardley's earlier call for Google to reconsider notwithstanding.
"They're not backpedalling, that's clear," said Beardsley.