Google Ends Crucial Fixes for Android Jelly Bean

If you've got one of the 930 million or so Android devices that run 4.3 Jelly Bean or earlier, you may want to steer clear of the standard Android Web browser and any apps that can view websites. Google has discontinued updates for its WebView software on Android 4.3 and earlier, which leaves devices ripe for security exploits of every variety.

This information comes by way of SecurityStreet, the blog attached to Boston-based IT security company Rapid7. Security researchers Rafay Baloch and Joe Vennix have been hard at work developing exploits for Android systems and reporting them to Google. The only trouble is that Google isn't interested, at least when it comes to Jelly Bean or earlier.

MORE: Best Android Antivirus Software 2014

The Android security e-mail account replied to the vulnerabilities by explaining that it was only interested in issuing WebView patches for the two most recent versions of Android, 4.4 KitKat and 5.0 Lollipop. Since nearly one billion devices haven't been upgraded — or can't upgrade — to those, this could create a huge security risk. If two security researchers can create a whole host of exploits, it stands to reason that hundreds or thousands of hackers around the world could accomplish the same thing.

For those not familiar with the inner workings of Android, WebView is an integral part of the OS that leverages the built-in Web browser to display Web-based content on non-browser apps. When you see an ad pop up at the bottom of an app, it's probably using WebView.

Until Android 4.4 KitKat, WebView used the stock Android browser, commonly known as just "Browser." Google dumped that browser with KitKat and switched to Chrome, which many of its users were using as their primary browser anyway. It's easy to see why Google would want to keep Chrome current, but not expend too much time and energy on a system that's been phased out.

Unfortunately, users of older versions of Android don't have a lot of options, except to try to update their older phones or tablets to KitKat or Lollipop. (In the United States, cellular carriers often determine which version of Android a device will run.) Otherwise, they'll have to live with the WebView vulnerability and hope they're not exposed to any Web-borne malware — which is, admittedly, difficult to install in Android.

Google told Rapid7's Tod Beardsley that it would welcome third-party fixes for Browser-based WebView and roll them into future patches of Jelly Bean or earlier, but that it wasn't planning to develop any of its own.

Consider, also, an Android mobile security suite, which should spot and block most malware before it installs.

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Android Phones
Google Pixel 9 Pro in hand
Epic Google sale on Pixel 9 Pro, Pixel Watch and more — 9 deals I’d buy with up to $400 off
samsung galaxy s25 edge mockup at galaxy unpacked
Galaxy S25 Edge is overhyped — I want Samsung to make this phone thinner instead
CAD renderings of the Google Pixel 10 Pro
Latest Google Pixel 10 leak could make you want to skip it altogether
android 16 logo on a samsung galaxy smartphone
One of Apple’s most controversial AI features could be coming to Android phones
Google Pixel 9a render
Google Pixel 9a pre-orders could come with a free Google TV Streamer — what we know
Samsung Galaxy S23 Ultra
Older Samsung phones are finally getting One UI 7 — here's all the devices
Latest in News
Erin Doherty as Briony Ariston and Owen Cooper as Jamie Miller in "Adolescence" on Netflix
Netflix just got a gripping crime drama show that’s already hit No. 1 — and it’s 100% on Rotten Tomatoes
Leslie Bibb in The White Lotus season 3
Last night's 'White Lotus' cameo is less surprising than you think
Garmin Fenix 8 Sleep
New data reveals the average Garmin sleep score — do you sleep better or worse than most people?
A YouTuber holding the leaked Pixel 9a
Google Pixel 9a just fully leaked in new YouTube video — here's everything it reveals
iOS 19 logo on an iPhone
iOS 19's big redesign is tipped to bring a whole new look and unite all of Apple's devices — and pave the way for a foldable iPhone
iPhone 16 Pro Max shown in hand
Forget iPhone 17 — the iPhone 18 could be the first phone with under-display Face ID
  • das_stig
    No comment on Google forcing manufacturers and ISP to give users updates to secure them online. Another case of got your money now FOAD, unless we can tempt you with a shiny new device that will be end of life 2 weeks later !
    Reply
  • smeezekitty
    I never use the standard Android browser but this is ridiculous.
    Jellybean isn't that old
    Reply