Forbes reports that nearly one billion Android smartphone users that are not running the latest Lollipop operating system are at risk of malicious attacks due to Google no longer releasing security updates for the WebView tool on Android versions at or below 4.3 Jelly Bean. Research firm Rapid7 discovered that Google started the process of ending support for WebView late last year for devices not running Android 5.0 Lollipop.

WebView is a commonly used Android class, based on the WebKit rendering engine, that displays webpages without having to open another application. It is also one of the most frequently used vectors for remote code execution vulnerabilities on Android, akin to how Internet Explorer is often a gateway for attackers on Microsoft platforms, which makes the lack of future updates a serious issue for Android users not running Lollipop.

“Software weaknesses have repeatedly been uncovered in Android and WebView, making the lack of updates even more dangerous,” writes Forbes. “Rapid7 has added numerous exploits to its penetration testing kit Metasploit. The most recent version comes with 11 different WebView exploits bundled in, meaning both ethical and criminal hackers could easily exploit the tool and subsequently Android operating systems.”

Despite no plans to release any further updates itself, Google will still accept patches included as part of user-submitted solutions to bugs and security vulnerabilities through AOSP. In other words, Google might release future security updates for WebView if the patch is provided by a third-party developer or vendor, which Rapid7 calls a rare and rather unprecedented move for a tech company of this size.

Google unbundled WebView from its core operating system when it released Android Lollipop last October, shifting updates to the Play Store for the tool. A major caveat: you must be running Lollipop to access these automatic downloads. Enter the problem of fragmentation within the Android ecosystem, leading to less than 0.1 percent of all Android device owners running Lollipop, and the issue here becomes clear.

Android users running 4.3 Jelly Bean and below can have some peace of mind in knowing that attackers face certain limitations in attacking WebView. Forbes claims that malicious attackers would need to “get exploit code onto a web page displayed by a targeted app, or trick a user to follow links then rendered by WebView.” Android users that exercise caution in installing only trusted apps should be less vulnerable to attack.

About the Author