Google caused a stir in the information-security industry this month by publicly disclosing flaws in the software of its rivals Apple and Microsoft. But now Google is itself taking heat for leaving two flaws in its own Android mobile operating system unpatched.
The first flaw, in the WebView component of Android 4.3 Jelly Bean and older, will stay unpatched for "practical" reasons. The second, in Android's implementation of the Wi-Fi Direct protocol, may eventually receive a patch, but Google insists the bug is a low priority since it isn't as severe as its critics make it out to be.
WebView lets third-party Android apps leverage the stock Android browser to display ads and other Web-based content. In Android 4.4 KitKat and 5.0 Lollipop, that browser is Chrome, but previous versions of Android — estimated to run on 930 million devices worldwide — use the earlier browser, aka Browser, which Google no longer works on.
Earlier this month, researchers from Boston security firm Rapid7 disclosed how Browser and WebView could be leveraged to infect Android devices. They told Google about it — and Google apparently responded that it wasn't interested in patching Browser to fix the problem.
On Friday (Jan. 23), a Google Plus post by Google engineer Adrian Ludwig confirmed that policy, stating that because WebView is so complex, fixing it on Android 4.3 Jelly Bean or older "was no longer practical."
Maintaining the many different flavors of Android on many different types of hardware is demanding, and this cutoff point makes the work easier to manage. By comparison, improvements in Android 4.4 KitKat and 5.0 Lollipop make it easier to disseminate fixes across the myriad Android devices running these systems — and don't depend on handset makers and cellular carriers to push out updates, as any changes to earlier versions of Android would require.
But it's precisely that diversity of Android flavors and types that means a majority of Android users will now be left with vulnerable software. Many devices, due to hardware incompatibility or manufacturer and carrier intransigence, cannot upgrade to Android 5.0 Lollipop or even Android 4.4 KitKat.
Aside from upgrading to KitKat or later — either through an official channel or by installing stock Android or Cyanogenmod — there isn't a lot that users of Jelly Bean and earlier can do to avoid WebView flaw. Simply installing Chrome won't fix the issue, as WebView will continue to use Browser. It might be best to simply go into Airplane Mode when playing a game that displays a lot of ads.
The Android Wi-Fi-Direct flaw is a different story. Wi-Fi-Direct is a standard for peer-to-peer wireless communication among Wi-Fi enabled devices — no router or access point needed. This particular flaw was found by Boston-based security company Core Security, which reported it to Google's Android security team on Sept. 26 of last year.
But the flaw went unpatched, which is why Core chose to force Google's hand by disclosing it yesterday (January 26) via an advisory on the Full Disclosure mailing list.
The flaw works like this: When an Android device is scanning for peers in Wi-Fi Direct mode, attackers within range of that device could send a specially crafted signal that would case the device to reboot. It's been demonstrated to work on Android 4.1 and 4.3 Jelly Bean and 4.4 KitKat, but Android 5 Lollipop seems to be unaffected.
Avoiding exposure to the flaw is fairly easy: Don't turn on Wi-Fi Direct, which is normally accessed through the Settings menu.
The embarrassing disclosure is a taste of its own medicine for Google, whose Project Zero security team has disclosed several Microsoft and Apple flaws before they were patched because the companies were unable to fix them within Google's 90-day non-disclosure window.
Google says the Wi-Fi-Direct flaw is not pressing, because it requires that attackers be in close proximity to the Android, and because it only causes the devices to reboot without any damage.
- 10 Simple Tips to Avoid Identity Theft
- How to Stay Safe on Public Wi-Fi
- 7 Ways to Lock Down Your Online Privacy
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.