January 16, 2015 By Jaikumar Vijayan 2 min read

Tens of millions of Android smartphone owners could be at a higher risk of malicious attacks because of a decision by Google to stop issuing Android patches for a key software component in older versions of its mobile operating system (OS).

Little Notice

With little public notice, Google has stopped issuing security patches and other updates for WebView on Android 4.3 (Jelly Bean) and prior versions of the OS. The company currently only supports Lollipop, the latest version of Android, and KitKat, Lollipop’s predecessor.

This decision means roughly 60 percent of Android devices — about 930 million smartphones, by some estimates — are vulnerable to attacks that exploit flaws for which no patches are currently available — nor are they likely forthcoming from Google.

“This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy in many, many cases,” said Tod Beardsley, a researcher at security firm Rapid7. He was one of the first people to learn of Google’s new policy to stop Android patches for older versions of the OS.

Beardsley said he fully expects smartphones running affected versions of the Android OS to be increasingly targeted by attackers and penetration testers once word of Google’s decision spreads.

Easy Targets

A WebView basically lets a Web browser be opened from inside a mobile application. Developers typically add a WebView to their application if they want it to display as a Web page or run a Web application. Google replaced its original WebView for Android with an updated version of the component based on the Chromium open source project when it released Android 4.4, or KitKat. The new WebView has the same rendering engine as the one used by Chrome to render browser pages on Android devices.

Sometime between KitKat and the release of Lollipop, Google apparently decided to stop issuing Android patches for WebView on Jelly Bean and previous versions of Android.

Highly Vulnerable Without Android Patches

Beardsley said he discovered the change when reporting a new vulnerability in WebView to Google. The vulnerability is one of close to a dozen that security researchers have discovered in WebView in recent months. All the vulnerabilities exist in Android 4.3 and earlier, which are precisely the versions Google no longer supports.

Google incident handlers responding to Beardsley’s bug submission basically said the company does not develop patches for older versions of Android. However, Google is apparently open to receiving patches from those reporting vulnerabilities. The incident handlers added that other than alerting original equipment manufacturers of a bug, Google will not take any further steps to patch or mitigate problems on Jelly Bean and older versions of Android.

Google’s Reasons

Google’s reasoning is reportedly based on the fact that it no longer certifies third-party devices that include the Android browser, Beardsley wrote. Google leaves it up to original equipment manufacturers and carriers to ensure their devices are properly patched. Generally, when Google receives an Android vulnerability report, it provides quick security updates for Nexus devices, which it controls. It also ensures future releases of Android are free of the reported problem.

However, in all other situations, the company has maintained that the best way to ensure continued support is for users to upgrade to the latest versions of the Android OS.

“To put it another way, Google’s position is that Jelly Bean devices are too old to support — after all, they are two versions back from the current release, Lollipop,” Beardsley said.

Image Source: Flickr

More from

Is the water safe? The state of critical infrastructure cybersecurity

4 min read - On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total…

Cybersecurity trends: IBM’s predictions for 2025

4 min read - Cybersecurity concerns in 2024 can be summed up in two letters: AI (or five letters if you narrow it down to gen AI). Organizations are still in the early stages of understanding the risks and rewards of this technology. For all the good it can do to improve data protection, keep up with compliance regulations and enable faster threat detection, threat actors are also using AI to accelerate their social engineering attacks and sabotage AI models with malware.AI might have…

Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased?

3 min read - IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today