Google Ditches Security Support for 60% of Android Users

In a move that has shocked the security community, Google has quietly decided to kill critical security updates for those running Android 4.3 (Jellybean) or below. Security researchers recently discovered an exploit in WebKit-powered WebViews. WebView is a framework used by Android to render web content within an app. Recent versions of Android are unaffected since Google switched to its new Blink rendering engine to power WebViews. However, nearly 60% of Android users are running 4.3 or below, and rely on a vulnerable version of the WebKit rendering engine. But despite the large number of affected users, Google has no interest in fixing the bug.

Also read: Turning Your Android Device into a Tor Node

Google’s Refusal to Fix Bugs Affecting 939 Million Android Users

Google Ditches Security Updates for 60% of Android UsersAndroid’s fragmentation is a well-known issue. Less than 0.1% of Android devices run the latest Lollipop OS. Compare that to the 68% adoption rate of iOS 8 and 46.7% adoption rate of Windows Phone 8.1. Given these statistics, it would make sense for Google to continue supporting older versions of Android. However, after receiving a report of a newly-discovered vulnerability in WebView on pre-4.4 devices, the Android security team responded with the following:

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

In the past, the Android security team has been quick to provide bug fixes to older devices. But this response indicates a dramatic shift in policy. Security researcher Tod Beardsley, developer of the Metasploit penetration testing framework, asked the Android security team for clarification, and received a similar response:

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.”

Essentially, Google is asking vulnerability reporters to provide their own patches. While dropping support for legacy versions is common practice amongst software vendors, it’s important to consider that most of Android’s user base (939 million people) is not running the latest Android OS. Furthermore, while Google’s “solution” is that these people upgrade to a newer version of Android, this isn’t a viable option for most. While Apple and Microsoft have tight control over their phones, Google practically has none. OEMs and carriers determine the user experience on Android devices, including when, and if ever, they can receive operating system updates. The quickest way to be on the latest OS is to buy a new phone entirely, which, economically, isn’t the best option considering that Lollipop phones like the Nexus retail for $648.

Beardsley reported that certain components of pre-4.4 devices will still continue to receive updates, such as multi-media players. However, Google’s new policy with WebView support may set a precedent for axing other security updates on older devices. Furthermore, most Android users are now open to a range of exploits, as WebView has often been used as an attack vector. For now, it seems like avoiding the web entirely is the only “patch” available for pre-KitKat users.

Images from Shutterstock and SecurityStreet.

I've always been interested in the latest stuff in science and technology, and I'm currently a freshman undergraduate electrical engineering student at the University of Texas at Austin.