Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3

MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.

The solution is obvious

[BVis]

Clearly Google has decided that the solution for this problem is to update Android. This is not an unreasonable solution. The problem is fixed, and how you get the fix is well documented.

The problem is when your carrier prevents you from upgrading. Blame for this issue lies soley at the feet of Verizon, At&T, Sprint, T-Mobile, etc.

Re:The solution is obvious

[soft_guy]

Apple tries to control as much as they can on their platforms. Other platforms like Android and Windows take an approach of sharing responsibility for the overall quality between several different companies who can each point at each other and say "not it!" when a problem arrises.

Re:The solution is obvious

[Black.Shuck]

how is apple able to upgrade their phones for like 5 years and Scamsung, LG and HTC cannot?

Apple is comparatively disciplined, releasing about one new phone a year, and hardware and software are under their full control.

Together, the others release dozens, and different companies share different responsibilities. Nice for consumer choice, but not so nice for support, since nobody wants to maintain a software stack nor wrestle with the politics involved in updating so many different devices.

Re:The solution is obvious

[Lazere]

I disagree. Microsoft not supporting XP and Google not supporting 4.3 are two completely different things. 4.3, despite being two major versions ago was released less than two years ago. If Microsoft or Apple stopped supporting an OS version after less than two years, there would hell to pay. Why does Google get a pass just because they have a fast versioning scheme?

Re:The solution is obvious

[Munchr]

No, the carriers made up this system, and it existed long before Android entered the market. Symbian OS, Windows Phone, and Android are all affected. Apple managed to get AT&T to agree to allow Apple to control when and how updates to the iPhone are provided as part of the initial AT&T exclusive partnership agreement for the original iPhone. Every carrier since AT&T has had to agree to the same provision regarding Apple's control, or they don't get the iPhone. I'm not aware of ANY other phone manufacturer that has managed that feat before or since, without being forced to sell their phones directly to the public as carrier free/unlocked phones as Nokia did with the n900.

Re:The solution is obvious

[BVis]

So because Google didn't specifically forbid something, and the carriers went ahead and did it not because it was a good idea, but because fuck the customer, that's Google's fault? If I don't specifically tell someone to look both ways before crossing the street, is it my fault when they don't and get hit by a bus?

The carriers are the bad actors here. Google had a bug in their product, and they have fixed it. The carriers are the ones not allowing their customers to install the fixed version.

Re:The solution is obvious

[CastrTroy]

Isn't this basically what Microsoft does with Windows, or what Linux does. One code base that runs on all kinds of machines. And we still expect them to get vulnerabilities fixed. I could understand if it was a bug with some kind of driver that communicated with the cellular radio or other piece of hardware. Then it would be up to the manufacturer or carrier to fix the bug. But this is a bug in something that has nothing to do with the hardware that it is running on. There should be a more reliable way for bugs to get fixed on Android without going through multiple entities, some of which would just rather you buy new hardware. Imagine if you had to go through Dell, HP, or Acer every time you needed something fixed in Windows. It would be a disaster. But that's exactly what the state of affairs is with Android. I'm due for a new phone soon. I can't afford an iPhone, and my previous phone was Android, but I seriously got burned on updates. I've been considering Windows Phone, but their app selection is quite poor. I find that the current state of affairs with phone operating systems to be quite terrible.

Re:The solution is obvious

[Tran]

Well, unlike the wireless phone companies, there where no vendors for the PCs that insist on putting their hands on the OS to customize the Android experience (mostly to detrimental effect, in my experience). So yes, Verizon, T-Mobile are on the hook for this one.

My plain vanilla Nexus 4 is still running fine with the latest and greatest, well latest, OS from Google. It is just staring to take some performance hits as compared to when it first came out.

Re:The solution is obvious

[AmiMoJo]

Download the Android source from the official site for free: https://source.android.com/sou...

You might be thinking of the Play store and other Google apps, which as you say are not free. You can download and install them for free as a user, but if you want to ship them pre-installed on a device then there are licence agreements. Nothing in those agreements about having to launch a flagship phone or nonsense like that... Android is winning because it is available on everything from low cost low end devices to the very top tier hardware.

As for the costs, Cyanogen seems to prove that they can be pretty low. They support a lot of devices with very little funding to do so, partly because they are open source and rely on volunteers. Some companies pay them for support, which seems like a reasonable way to do long term updates.

You should never buy a phone from a carrier. Always get it unbranded and unlocked.

Nice troll

[MikeBabcock]

Like everyone else reporting on this story, it completely misses the point -- there's no *point* in Google writing a patch, none of the hardware companies involved would ever bother to deploy it. They have *no* control over that bit of code in your phone unless you're running a Nexus device.

Re:Nice troll

[Godai]

Also a point that gets largely glossed over is that this only affects apps that use Webview as a widget -- browser apps like Chrome or Opera aren't affected because they've updated themselves to use Chromium (or something else). This may affect 60% of Android users, but what percentage of those are using the browser inside an app to visit random sketchy websites? I'm guessing the actual user base at risk is quite small.

The way this is reported it sounds like if you use Chrome on anything south of 4.4, you're IN GRAVE MORTAL DANGER OF TEH HACKZ.

Re:Not to be an apologist for Google, but

[finkployd]

No really an apology for google though, more of a "here is how google royally screwed up in their relationships with carriers that Apple and Microsoft seem to have gotten right".

Re:Not to be an apologist for Google, but

[Lazere]

Alternatively; "Here is how Google royally screwed up writing their OS so that updating even relatively minor parts requires a full OS upgrade while Apple and Microsoft seem to have figured out how patching works."