Google Campus

Google Stopped Pushing Out Critical Android Security Updates For Nearly 1 Billion Users

January 12, 2015 - Written By Kristijan Lucic

Security has always been extremely important, and in today’s day and age, the emphasis on security is bigger than ever. Internet and all the technology connected to it has opened a lot of possibilities to us, we can do so many things from the comfort of our home, things we never dreamed of. Unfortunately, there are people out there who are trying to take advantage of it, trying to take advantage of the fact we do financial transactions via our computers, smartphones… even our watches. That’s the reason why many companies put a huge emphasis on security these days, as they should.

Google did something really odd and unwise, the company behind the Android platform has decided to stop pushing out security updates for the WebView tool within Android on Android 4.3 JellyBean. The company did this without a warning and this will affect 939 million devices worldwide, which is a huge number, no doubt. If the number on its own doesn’t give you a clear image though, this basically means that two-thirds of Android users won’t get security updates anymore. The WebView tool actually allows applications to display web pages within applications and a lot of apps use this component of Android. “WebView, for many, many attackers, is Android, just as Internet Explorer [Microsoft’s browser] is usually the best vector for attackers who want to compromise Windows client desktops,” said Tod Beardsley, Rapid7 engineering manager, to Forbes.

The WebView tool has its weaknesses, which makes the lack of updates even more dangerous. Rapid7 actually has numerous exploits to its penetration testing kit Metasploit at the moment, and the most recent version comes with 11 different WebView exploits bundled in. Google actually decided to unbundle WebView from Android 5.0, which means users can update WebView separately via Google Play Store. “While the sub-0.1% of Lollipop users will enjoy that leap forward with a Play store updatable WebView, the other 99.9% of us are stuck with OS updates for the equivalent of a browser patch – if there is a patch available at all,” Mr. Beardsley added.

Keep in mind that hacking into WebView is not an easy task at all, so don’t get too worried for nothing, but this is still rather odd and I’d say bad news. Google didn’t want to comment on this matter though, but I believe we’ll get some official news soon. The end of cycle moments come by sooner or later, but if this story pans out, Google cut the cord way too soon, there are way too many users still running Android 4.3 JellyBean. Your thoughts?