Skip to main content

Google Ends Crucial Fixes for Android Jelly Bean

If you've got one of the 930 million or so Android devices that run 4.3 Jelly Bean or earlier, you may want to steer clear of the standard Android Web browser and any apps that can view websites. Google has discontinued updates for its WebView software on Android 4.3 and earlier, which leaves devices ripe for security exploits of every variety.

This information comes by way of SecurityStreet, the blog attached to Boston-based IT security company Rapid7. Security researchers Rafay Baloch and Joe Vennix have been hard at work developing exploits for Android systems and reporting them to Google. The only trouble is that Google isn't interested, at least when it comes to Jelly Bean or earlier.

MORE: Best Android Antivirus Software 2014

The Android security e-mail account replied to the vulnerabilities by explaining that it was only interested in issuing WebView patches for the two most recent versions of Android, 4.4 KitKat and 5.0 Lollipop. Since nearly one billion devices haven't been upgraded — or can't upgrade — to those, this could create a huge security risk. If two security researchers can create a whole host of exploits, it stands to reason that hundreds or thousands of hackers around the world could accomplish the same thing.

For those not familiar with the inner workings of Android, WebView is an integral part of the OS that leverages the built-in Web browser to display Web-based content on non-browser apps. When you see an ad pop up at the bottom of an app, it's probably using WebView.

Until Android 4.4 KitKat, WebView used the stock Android browser, commonly known as just "Browser." Google dumped that browser with KitKat and switched to Chrome, which many of its users were using as their primary browser anyway. It's easy to see why Google would want to keep Chrome current, but not expend too much time and energy on a system that's been phased out.

Unfortunately, users of older versions of Android don't have a lot of options, except to try to update their older phones or tablets to KitKat or Lollipop. (In the United States, cellular carriers often determine which version of Android a device will run.) Otherwise, they'll have to live with the WebView vulnerability and hope they're not exposed to any Web-borne malware — which is, admittedly, difficult to install in Android.

Google told Rapid7's Tod Beardsley that it would welcome third-party fixes for Browser-based WebView and roll them into future patches of Jelly Bean or earlier, but that it wasn't planning to develop any of its own.

Consider, also, an Android mobile security suite, which should spot and block most malware before it installs.

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

  • das_stig
    No comment on Google forcing manufacturers and ISP to give users updates to secure them online. Another case of got your money now FOAD, unless we can tempt you with a shiny new device that will be end of life 2 weeks later !
  • smeezekitty
    I never use the standard Android browser but this is ridiculous.
    Jellybean isn't that old