Google confirmed that it has no plans to develop patches for WebView flaws in Android 4.3 or earlier versions. The problem is that Android is the most widely used mobile platform, and more than 60 percent of the Android devices currently in use are vulnerable to WebView flaws.
I wrote a blog post about the controversy, and the confusion over who is actually responsible for developing updates and protecting Android users:
Security researchers have developed a number of exploits that target WebView in older versions of the Android mobile operating system. Despite the fact that about 60 percent of the mobile devices currently in use rely on the vulnerable WebView, Google has confirmed it has no plans to develop a patch or update to protect them.Todd Bearsley explained in a post on the Rapid7 Security Street blog that Metasploit currently ships with 11 exploits for WebView. He clarifies, “WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.”
Google used to develop fixes for these older bugs but apparently no longer supports the “legacy” versions of Android—or at least WebView — on older releases of Android. According to Beardsley, the new official position of Google is that it will not develop patches for WebView issues affecting Android prior to version 4.4 (KitKat), but it will accept patches from researchers, or notify OEM partners when a new vulnerability is discovered.
“Even if Google did provide a patch, it would not immediately help those “60 percent” as the final “mile” to the customer handset must be provided by the phone manufacturers or OEMs,” explained Garve Hays, solution architect with NetIQ. “In fact, the OEMs took consumer money, not Google (unless you consider Nexus handsets). So the OEMs should stand by their customers and provide a patch, or an upgrade path to KitKat or better.”
Check out the full story on CSOOnline: 60 percent of Android devices left vulnerable to security risk.