Just as Google is coming under fire for publicizing a Windows bug two days before Microsoft released a fix, the company is now in the crosshairs because of its approach towards updating its own software.
Not for the first time, a bug has been found in the WebView component of Android 4.3 and below. This is the embeddable browser control powered by a version of the WebKit rendering engine used in Android apps.
Android 4.4 and 5.0, which use Blink rather than WebKit for their WebView, are unaffected. But by Google’s own numbers, some 60 percent of Android users are using 4.3 or below. As such, this is a widespread, high-impact bug. The normal procedure would be to report the bug to Google, and for Google to develop a fix and publish it as part of Android Open Source Project release.
But, writes Tod Beardsley, developer of the Metasploit security testing framework, that’s not what happened this time. The Android security team was notified of the problem, and the response was
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
Google will tell OEMs about the problem, but has no interest in fixing it. Asked for clarification, the Android developers responded:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.
After further correspondence, the Android developers replied that components of Android 4.3 such as the media player would receive back-ported patches. But WebView was on its own. Though there appears to be no clear end-of-life policy from Google, Android 4.3’s WebView has reached the limit. The WebView controls used on a majority of Android phones, and still used in newly sold Android phones today, are unsupported and insecure.
Making this worse, Google isn’t even providing much information about those Android vulnerabilities that are reported or fixed. Beardsley writes that Google’s only indication of a fixed security flaw is the commit message written when the fix is integrated into AOSP. When a flaw isn’t even fixed, there’s obviously no commit message, and so there’s no good public record of the problem.
Of course, Google producing a patch for Android 4.3 and below would only be the first step. OEMs would have to bake that patch into their own firmware updates, mobile operators would have to validate and customize those firmware updates further still, and it’s unlikely that, in practice, many Android users would ever receive the patch. But without Google taking the first step, even that slim possibility is eliminated.
This difficulty has not prevented Google from developing updates in the past; in April of last year, it developed a fix for Android 4.1.1 to fix the Heartbleed flaw. OEM availability of that update may have been limited, but at least the option existed. For the WebView problems, it does not.
In principle, most phones running Android 4.3 or below could receive major updates to 4.4 or even 5.0, and eliminate the bug in that manner. This, however, ignores the practice that OEMs are frequently unwilling to make this kind of major update; given what we know of smartphone manufacturers, expecting them to pick up the very newest version just to get security fixes isn’t at all realistic. The OEM position is understandable. A manufacturer shipping a customized version of Android 4.3 on a phone will generally find it much easier to update that custom version to a newer 4.3 patch level than it will to update to Android 4.4 or 5.0. The changes are smaller, and the work required is lesser.
Google’s position is complicated, because it has produced a platform that it has no power to update. There’s no Windows Update for Android phones, and Google has no ability to push out updates to the operating system; it has to depend on a range of OEMs and network operators to adopt its source code changes and distribute them to users. Both Apple and Microsoft, in contrast, have a direct channel to update their mobile operating systems.
What Google can update is apps, through the Play Store infrastructure. With each new release of Android, Google has pushed more functionality into packages such as Google Play Services and Google Play Store that run on top of the core Android OS. These packages are updated and maintained through the Play Store system, and in Android 5, this includes the WebView control. So going forward, this component can be updated—though the same problem will remain for those portions that remain as part of the core open source Android OS. Android 5.0 is, incidentally, currently in use by less than 0.1 percent of Android users, by Google’s own estimates.
This improved servicing and maintenance is one of the reasons that Google has been pushing more features into APKs and out of the Android OS. But it does little to help the 60 percent of Android users who are currently at risk every time they open a link in the browser embedded into their Twitter client.
Peter Bright / Peter is Technology Editor at Ars. He covers Microsoft, programming and software development, Web technology and browsers, and security. He is based in Houston, TX.
|Evernote helps you remember everything and get organized effortlessly. Download Evernote.|