Chrome - Android homepage

Why the Android WebView security bug will not be fixed

Recently, news of a security flaw in older versions of Android has been receiving a considerable amount of coverage in the mainstream press. The issue centres around WebView, which is used by Android in order to render web pages.

The problem affects software such as the old stock web browser and other apps which make use of WebView for displaying content. Android 4.3 Jelly Bean, and earlier versions of the operating system, are afflicted with the security bug.

What is the Android WebView security bug?

Describing the Android WebView security bug, that much of the press has been referring to, is not actually as straightforward as it should be. Whilst the media reports are referring to one particular flaw, the problems are actually more widespread.

The issue that has been focussed on was detailed in a blog post by independent security researcher Rafay Baloch, in September 2014. It is a vulnerability that could allow users to be spied upon, or even have their browsing sessions hijacked.

Using JavaScript, a malicious website could scrape data from any other web pages that are also open. So if a user was to visit an infected site at the same time as viewing another page which contained private, financial information, the operator of the nefarious site could gain access to this data.

The exploit could even copy a session cookie. So if someone was logged in to a particular account, that browsing session could be hijacked, giving the attacker access to the account in question.

But whilst this particular security flaw poses a relatively serious risk, it is by no means an isolated case.

The fact that Google will not be issuing a fix to the security flaw was highlighted in a recent blog post by Tod Beardsley, of vulnerability-testing software Metasploit. However, as Beardsley pointed out, security researchers like Baloch and Joe Vennix are regularly uncovering Android WebView exploits.

Why will Google not fix the problem?

It is well know that Microsoft supports editions of Windows for a specified period of time. There was much discussion of this in April 2014 when the company – as planned – stopped supporting the popular Windows XP operating system.

Support for Android works somewhat differently, and Google does not specify exactly how long a particular version of Android will receive updates for.

Part of the reason for differences in the way that support is offered on Windows and Android is the procedures that are used for delivering updates.

In the case of Windows, Microsoft provides updates directly through its Windows Update service. With Android, the way that updates are managed varies depending on the device.

Nexus-branded products, for example, receive updates directly from Google. That is why older hardware such as the Nexus 4 – which was released back in November 2012 – has been provided with an official release of the latest version of Google’s mobile OS, Android 5.0 Lollipop.

With most Android-powered products, however, updates are the responsibility of the device manufacturer. And sometimes even mobile networks are involved in the management of update releases.

The reason why Android updates are handled in this way is because device manufacturers are able to modify the OS themselves, in order differentiate their products.

The changes that manufacturers make to Android mean that Google is not able to simply push out updates to all Android devices. Updating the OS in this way would introduce all manner of compatibility issues, given that device manufacturers have added their owns features on top of stock Android builds.

What are the risks?

Web browsers such as Chrome and Firefox and not affected by the aforementioned Android WebView security bug. Using a modern, regularly-updated web browser – rather than the old stock browser, or a variation of it – helps to mitigate against the risks posed by security flaws.

Where some of the press reports have been a little misleading is spreading the idea that this is somehow a new problem.

The key aspect of this story is that Google are saying they will not be contributing a fix for this security flaw to the Android Open Source Project (AOSP).

The AOSP is the central codebase from which final consumer editions of Android are compiled. Of course, as Google has pointed out, others are still free to submit patches.

But even if Google, or anyone else, was to fix the WebView security bug, the reality is that it would not reach end users. In most cases, the decision to issue an an update rests with the device manufacturer, and very few – if any – are still providing updates to systems running Android 4.3 Jelly Bean, or earlier.