Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google Android Cellphones Handhelds Security IT

Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3 579

MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.
This discussion has been archived. No new comments can be posted.

Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

Comments Filter:
  • by BVis ( 267028 ) on Monday January 26, 2015 @10:58AM (#48904903)

    Clearly Google has decided that the solution for this problem is to update Android. This is not an unreasonable solution. The problem is fixed, and how you get the fix is well documented.

    The problem is when your carrier prevents you from upgrading. Blame for this issue lies soley at the feet of Verizon, At&T, Sprint, T-Mobile, etc.

    • by Mr D from 63 ( 3395377 ) on Monday January 26, 2015 @11:07AM (#48904955)
      They also state that the vulnerability can be easily avoided just by using an updated browser.
      • by Anonymous Coward on Monday January 26, 2015 @11:15AM (#48905065)

        The webview control is also used internally by many apps, so you can't really avoid it. Google is pulling an "XP" here, except they're abandoning software that hasn't even been in the market for two full years.

        • The timeframes for Android are not of the same scale as those for Windows. Don't confuse them and then complain.

          • Bullshit.

            Google are a highly effective propaganda company.

            But, as providers of a platform for developers, they are absolutely horrible. Writing software for their "platform" is like building a house on quicksand.

            They make me look back on the time spent developing for Microsofts products with fondness.

      • Yeah, that can't be right.
        A WebView can be used in pretty much any app. It may or may not be vulnerable, depending on whether certain features of the WebView are used, but a WebView has the potential to be the core of a complete (vulnerable) browser in any app.

        More info on this matter here: https://community.rapid7.com/c... [rapid7.com]

        My guess (or hope, maybe) is that Google is responding the way they are to strongarm the handset manufacturers into (allowing) properly updating Android on their older products. A sort of

        • by Anonymous Coward on Monday January 26, 2015 @12:37PM (#48906033)

          No, they just don't give a shit like any other massive software company. My 1 year old Post-Google Moto phone will never see an official 4.4/5.0 release. Clearly they just can't be fucked to try.

    • by alen ( 225700 )

      how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?

      • by soft_guy ( 534437 ) * on Monday January 26, 2015 @11:11AM (#48905023)
        Apple tries to control as much as they can on their platforms. Other platforms like Android and Windows take an approach of sharing responsibility for the overall quality between several different companies who can each point at each other and say "not it!" when a problem arrises.
      • by Black.Shuck ( 704538 ) on Monday January 26, 2015 @11:15AM (#48905071)

        how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?

        Apple is comparatively disciplined, releasing about one new phone a year, and hardware and software are under their full control.

        Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.

        • by tlhIngan ( 30335 ) <slashdot@worf.ERDOSnet minus math_god> on Monday January 26, 2015 @12:20PM (#48905857)

          Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.

          You're off by an order of magnitude.

          Samsung, in 2014, released about 3 smartphones per week. Yes, they have over 150 smartphones released in 2014. Tablet wise, I think it was over 1 tablet a week (it was over 50 around October).

          It seems a lot of Android manufacturers see Android more as a "fire and forget" style of releases - just get a version of Android, stick it on, sell it, move on.

          I mean, supporting 200 brand new Android devices (ignoring 2013 releases and prior) ...

          • by AmiMoJo ( 196126 ) *

            It's not 150 smartphones a year, it's 150 distinct models. Often the only difference between models is the default language, or some minor variation in the case (far eastern models usually have a place to attach a strap, western models don't but otherwise the hardware is identical). Often it's just a different modem driver to support different regions LTE, that kind of thing. The core software is the same, and sure enough when they do release updates they tend to be for all models in a family at once.

      • Re: (Score:2, Insightful)

        by Tablizer ( 95088 )

        how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?

        Perhaps you really do get what you pay for.

      • Apple abandoned the original iPad in under 2.5 years.

        It's not like they don't do it either.

        Companies expect you to buy the new hotness all the time, and stop expending resources on older platforms.

        Because, after all, they only give a shit about you for as long as it takes to get your money. And then you're just someone who doesn't matter to them.

        • by Karlt1 ( 231423 ) on Monday January 26, 2015 @11:48AM (#48905461)

          Apple abandoned the original iPad in under 2.5 years.

          But on the other hand, Apple released a security patch for the iPhone 3GS - released in 2009 -- last February.

          The iPad 2 released mid-2011 can still run the latest OS.

        • by bondsbw ( 888959 ) on Monday January 26, 2015 @11:54AM (#48905535)

          2.5 years is pretty good compared with many Android devices. My wife and I have owned 4 Android devices between us, and none of them received updates even 2 years after their initial release date.

          Also I suspect you picked on the first iPad because it was the worst. I can't recall any mainstream Apple product that was supported for less time. Many of them are supported for 4 years or more.

    • Re: (Score:3, Insightful)

      by rot26 ( 240034 )
      My widely distributed product has been discovered to have a serious security flaw affecting millions of users. I have fixed this but it requires you to get your congressman to fetch it for you and have his staff install it. It's not MY fault if you can't convince your congressman to do this, it's HIS fault, and if you suffer, that's just too bad. Take it up at the voting booth.
      • It sounds like you've entered full snark mode here. To make the analogy complete you must include the fact that congress passed a law making them the only ones able to push out an update. It's been said before, even if Google did write a patch how do you propose they actually get it onto the vulnerable devices?
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      That's fucking comical. Google knows very well what the situation with the carriers and OEMs is, they are just as culpable in this mess. If Microsoft or Apple pulled some shit like this the tech blog sphere would implode from the density of the rage. All is forgiven for Glorious Google-sama however!

    • It's not just carriers. It's also manufacturers. I Europe it's common to buy phones off contract but they are not upgraded either.

      So the manufactures are also to blame. And I offend think that it's the manufactures fault. And not the carrier. For why else would they not make the updates for the rest of the world?

      • by BVis ( 267028 )

        The difference is, unlocked/no-contract phones can have their OS upgraded. Under-contract phones in the USA can only be upgraded if the carrier allows it.

        So in Europe it's possible, and in the USA it is not.

  • Their excuse sucks (Score:4, Insightful)

    by BarbaraHudson ( 3785311 ) <barbara.jane.hud ... minus physicist> on Monday January 26, 2015 @11:00AM (#48904913) Journal

    They claim not to have the resources to do maintenance because it's 5 million lines of source code. Gee whiz, how many 100s of millions of lines of source code are there for OSes - and yet they don't get EOLed in a couple of years.

    What other bugs (in this and other projects) are going to be labed WONT_FIX?

    • Hipster developers do not do such lowly menial tasks as maintenance!

  • by Anonymous Coward on Monday January 26, 2015 @11:03AM (#48904925)

    The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part. To avoid this, in the newer versions of android, they have made it so there can be a play store update to fix and replace the webview-like modules so they can regain control of the patching process and not rely on handset companies.

    • by ThePhilips ( 752041 ) on Monday January 26, 2015 @11:44AM (#48905399) Homepage Journal

      The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part.

      4.4 changed WebView and that broke a number of apps.

      And not simply broke. Google has removed sizable chunk of WebView functionality because it is not really WebView anymore, it is small Chrome browser window and the features everybody was relying upon where never part of Chrome and as such... tough luck.

      To the company with the resources of Google, lame excuses like that are just unacceptable.

  • Nice troll (Score:5, Insightful)

    by MikeBabcock ( 65886 ) <mtb-slashdot@mikebabcock.ca> on Monday January 26, 2015 @11:05AM (#48904943) Homepage Journal

    Like everyone else reporting on this story, it completely misses the point -- there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it. They have *no* control over that bit of code in your phone unless you're running a Nexus device.

    • Re:Nice troll (Score:5, Insightful)

      by Godai ( 104143 ) * on Monday January 26, 2015 @11:11AM (#48905017)

      Also a point that gets largely glossed over is that this only affects apps that use Webview as a widget -- browser apps like Chrome or Opera aren't affected because they've updated themselves to use Chromium (or something else). This may affect 60% of Android users, but what percentage of those are using the browser inside an app to visit random sketchy websites? I'm guessing the actual user base at risk is quite small.

      The way this is reported it sounds like if you use Chrome on anything south of 4.4, you're IN GRAVE MORTAL DANGER OF TEH HACKZ.

      • Yes, 60% is very misleading, as is the intentional omission of how easy the problem is to avoid.

        But, hey, why pass up a chance to bash?
    • Re:Nice troll (Score:5, Interesting)

      by OhPlz ( 168413 ) on Monday January 26, 2015 @11:24AM (#48905187)

      I have a Google Nexus. 4.3 is the last version supporting my phone. The phone does everything I need it to, so I don't want to waste money on a newer one. I think this is a blatant attempt to force people to buy newer phones. All their craplets get updated, but not the Android OS.

    • there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it.

      This has been my experience in the industry as well. I don't see OEMs scrambling to get the latest updates from the chip vendor or from Google. And I see chip vendors who basically abandon support for older chips on newer releases.

      I blame Google, OEMs and Vendors for the problem and not really the carriers. While carriers usually want software to be qualified before an update is allowed, there are many carriers with different rules and many phones that are not under contract.

      Carriers are less particular abo

  • by NoNonAlphaCharsHere ( 2201864 ) on Monday January 26, 2015 @11:07AM (#48904953)
    Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Monday January 26, 2015 @11:10AM (#48905005)
      Comment removed based on user account deletion
    • Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.

      Google set it up this way. According to the Google Play dashboard, 61% of people are v4.3 or lower. you know that 90% of them will never update. And the google play store only collects phones that visit the service, imagine the tens of millions "grandma's phone" people who use an android because that is the default cheap phone without making use of the play store. Sounds like a basket of fail to me.

      https://developer.android.com/... [android.com]

    • Apple and Microsoft control their own update process on all platforms; Google does not. It's the individual carriers who are getting in the way of Android updates.

      And who entered into the contracts with carriers saying who is responsible for what? Google can't dodge some form of culpability for this.

  • by ThePhilips ( 752041 ) on Monday January 26, 2015 @11:07AM (#48904957) Homepage Journal

    The explanation I read elsewhere (RTFA quotes from different interview) sounds alot like the excuse of some incompetent developers: use trunk or it is not my problem!

    If they had developed a small patch for the problem, I'm pretty sure OEMs wouldn't have a problem pushing it to the users.

    But it seems they can't because as all developers working exclusively in the trunk, they have rewrote everything already several times, and looking at the old stuff is... wew! It's old! It's absolutely horrible! Use snapshot from the trunk!! We fixed everything!! It's all better!! We promise!! Honestly!!

    • If they had developed a small patch for the problem, I'm pretty sure OEMs wouldn't have a problem pushing it to the users.

      Hahahahahahahahaha, seriously? This is fixed in 4.4 and the OEMs aren't rolling that out. What makes you think they'll roll out anything, especially because most manufacturers have a long history of not rolling stuff out?

      I'm guessing Google just got tired of making patches nobody would ever see.

  • I think that the users of the default browser are probably doing a lot of other stuff that will compromise security. The advanced users will mostly install a different browser from the Play Store.
  • Android Patching (Score:3, Insightful)

    by Xinef Jyinaer ( 1044268 ) on Monday January 26, 2015 @11:10AM (#48905011)
    I don't get how this can make the front page twice. This time TFS has nothing to do with the TFA, but neither are relevant. Google has already patched this, that is what 4.4 is. If you can't get 4.4 pushed to your phone then chances are you are not going to get another patch to this pushed to your phone. At that point the way Android patches are being pushed it is entirely out of googles hands...
    • by caseih ( 160668 )

      Android 4.4 isn't really an update for me. Broken SD support is a deal breaker.

      Wonder if cyanogenmod will backport the fix? Or is it time to switch from Dolphin to Firefox?

  • by danbob999 ( 2490674 ) on Monday January 26, 2015 @11:13AM (#48905045)
    You can get an updated browser through Google Play store. Many are available. Using a browser that comes pre-loaded with the OS and to rely on your phone manufacturer/carrier to update it is security risk.
    • Re: (Score:3, Insightful)

      by maorb ( 2578043 )
      That solves the browser issue, but many apps (especially those that have in app advertising) remain vulnerable whenever they load an ad. So people using the free versions of many popular apps can still fall victim to this vulnerability.
  • by Anonymous Coward

    If it was as easy as deploying an update to an apk through the play store, Google would do it. Google DOES do it. System updates are handled by the Carrier. We all know damn well that carriers do not have incentives to provide device updates. You should never expect an android device to receive major version updates. If thats important to you buy an apple device, just don't complain about bending.

    In short, do your god-damned research before buying that shiny new brick.

  • To be fair... (Score:4, Insightful)

    by Junta ( 36770 ) on Monday January 26, 2015 @11:28AM (#48905219)

    What are the chances that a vendor that declines to update 4.3 to 4.4 would be willing to do an update for a 4.3.x if Google bothered to do it.

    I think it smells bad, but trying to target users with vendors holding back 4.4 but willing to do another 4.3.x update is tricky. This is why google moved toward moving stuff in a more modular fashion: to get the ability to update relevant portions without demanding the vendor get in the middle.

  • After all, you might break something.

  • But the summary does not. Sheesh.

  • by DrProton ( 79239 ) on Monday January 26, 2015 @11:55AM (#48905545)
    This "vulnerability" can be completely avoided by installing Firefox or Chrome on your android 4.3 device and using either as the default browser. It's irresponsible of /. to ring the security panic bell without mention of how one can simply neuter the threat.
  • by Anonymous Coward on Monday January 26, 2015 @12:00PM (#48905619)

    We can patch it ourselves! Right? Right?!

  • by internet-redstar ( 552612 ) on Monday January 26, 2015 @02:15PM (#48907039) Homepage
    Many remarks say that Google isn't to blame as they provide bug-free versions of Android as well.
    HW vendors are indeed not interested to provide upgrades for hw they no longer sell.

    While that is true, it was Google's choice to allow binary device drivers for Android interaction by the vendors.
    It are these proprietary device drivers which are preventing initiatives such as Cyanogenmod and others to provide a clear upgrade path.
    It illustrates the big mistake Google makes in this regard (allowing binary drivers and focusing on Apache licenses).
    The position of Google is strong enough to make a stance in the interest of the users (and the world) that all Android drivers should be OpenSourced... in that way the users can 'bake their own' and get their own responsability with respect to upgrades.
    The current situation brings the responsibility upon unwilling HW vendors, unwilling providers and ultimately Google.

    Sooner or later this is going to blow up into the face of Google because bigger security problems will one day be found!
    It's time Google takes a stance for OpenSource software in the interest of the users and the larger common good (certainly now it's completely on par with their own interests)!

No spitting on the Bus! Thank you, The Mgt.

Working...