If you've got one of the 930 million or so Android devices that run 4.3 Jelly Bean or earlier, you may want to steer clear of the standard Android Web browser and any apps that can view websites. Google has discontinued updates for its WebView software on Android 4.3 and earlier, which leaves devices ripe for security exploits of every variety.
This information comes by way of SecurityStreet, the blog attached to Boston-based IT security company Rapid7. Security researchers Rafay Baloch and Joe Vennix have been hard at work developing exploits for Android systems and reporting them to Google. The only trouble is that Google isn't interested, at least when it comes to Jelly Bean or earlier.
The Android security e-mail account replied to the vulnerabilities by explaining that it was only interested in issuing WebView patches for the two most recent versions of Android, 4.4 KitKat and 5.0 Lollipop. Since nearly one billion devices haven't been upgraded — or can't upgrade — to those, this could create a huge security risk. If two security researchers can create a whole host of exploits, it stands to reason that hundreds or thousands of hackers around the world could accomplish the same thing.
For those not familiar with the inner workings of Android, WebView is an integral part of the OS that leverages the built-in Web browser to display Web-based content on non-browser apps. When you see an ad pop up at the bottom of an app, it's probably using WebView.
Until Android 4.4 KitKat, WebView used the stock Android browser, commonly known as just "Browser." Google dumped that browser with KitKat and switched to Chrome, which many of its users were using as their primary browser anyway. It's easy to see why Google would want to keep Chrome current, but not expend too much time and energy on a system that's been phased out.
Unfortunately, users of older versions of Android don't have a lot of options, except to try to update their older phones or tablets to KitKat or Lollipop. (In the United States, cellular carriers often determine which version of Android a device will run.) Otherwise, they'll have to live with the WebView vulnerability and hope they're not exposed to any Web-borne malware — which is, admittedly, difficult to install in Android.
Google told Rapid7's Tod Beardsley that it would welcome third-party fixes for Browser-based WebView and roll them into future patches of Jelly Bean or earlier, but that it wasn't planning to develop any of its own.
Consider, also, an Android mobile security suite, which should spot and block most malware before it installs.
- Free vs. Paid Antivirus: Avira vs. Bitdefender
- Mobile Security Guide: Everything You Need to Know
- Best PC Antivirus Software 2014