Google’s Android mobile operating system takes a lot of criticism from security researchers for various security flaws and weaknesses. This week, Rapid7 security researcher Todd Beardsley strongly criticized Google for not patching a security vulnerability that he disclosed to the search giant.
The security flaw disclosed by Beardsley is in the WebView component that is part of the default Android Web browser in versions of Android prior to 4.4 KitKat. According to Beardsley, Google told him it would not patch any versions of Android prior to 4.4 for WebView.
The problem with not providing a fix for versions of Android prior to 4.4 is simple and yet quite profound. Versions of Android prior to 4.4 are more dominant than later versions, with over 900 million pre-Android 4.4 devices in the market today. That doesn’t mean, however, that the sky is falling and that all users of Android devices prior to 4.4 should trash their phones. The flaw that Beardsley reported is in a specific component of Android known as WebView, and Google’s comments about patching specifically relate to providing a patch for WebView.
In a recent interview, Jeff Forristal, CTO of mobile security vendor Bluebox Security, noted that vulnerabilities he first disclosed at the Black Hat 2013 conference still have not been patched by all Android vendors. Forristal discovered the MasterKey and FakeID vulnerabilities that could have potentially enabled an attack to exploit Android devices.
Android’s Complicated Patching History
While Google patched for both the MasterKey and FakeID vulnerabilities, those patches haven’t found their way to every single Android device. The issue with the MasterKey and FakeID vulnerabilities is also one of support, with some Android 4.2 vendors making patches available and others choosing not to do so. There are over 7,300 Android devices, Forristal said, and they each have a different patching history and support lifecycle.
In many cases, an individual phone vendor will only support a given device with software updates for two years from the time it was first released.
Just because there is a vulnerability in a piece of software doesn’t mean that the device will actually be exploited. While it’s never a good idea to run software with known vulnerabilities, best practices and good Internet hygiene also both play a role in prevention.
In general Android users are advised to only obtain software from the official Google Play store. The theory is that Google scans applications in the Play store, which might serve to reduce the risk of malicious apps.
Options for Older Android Versions
In the case of both the WebView vulnerability as well as the older MasterKey and FakeID vulnerabilities, users have options.
For WebView, it is a component in the default Android browser in pre-Android 4.4 versions. Users can simply choose to use a different browser that is still actively being updated. Popular choices include Google’s Chrome browser and Mozilla’s Firefox.
Users can also install their own Android operating system instead of the one provided by the device manufacturer. After all, Android is an open source-based operating system and thus facilitates multiple choices. One popular option is the CyanogenMod Android system, which will still support older devices that vendors have already dropped.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.