A major security flaw has been found in the WebView component of Android 4.3 and below. It is an embeddable browser control powered by a version of the WebKit to show web pages in apps. At the same time, Android 4.4 and 5.0 – which use Blink instead of WebKit to view the webpages in apps, are unaffected. However, going by the Google’s own number – around 60 percent of users’ device and sensitive information are at risk.
Though the severity of the bug is high as it could allow hackers to gain full control of a device and the Android Security team was notified of the same, however, their response towards the issue came as a shock to many.
Google knows the repercussion of the flaw in its software; however, it has shown no interest in getting that fixed.
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch,” stated the Android Security Team.
Why Google Stopped Securing its Own Software?
It might be looking as Google is fond of facing flaks for its unprofessional approach – whether it is about disclosing the Windows bug two days before Microsoft released a fix, or it’s about the approach taken by the Company towards updating its own software. But nothing is blown out of proportion. Here’s why it stopped securing its own loved software?
If Google follows a simple step and notifies the same to the OEMs (Original Equipment Manufacturers) for patches, it might be a time consuming process, but it will get a patch for the security bug.
Here, the OEMs will have to develop that patch into their own firmware updates, and then it will get validated from mobile operators, which will be then followed by the customization of those firmware updates. As the firmware updates are validated and customized, it will be then sent out to the Android users. In fact, it’s unlikely that, in practice, many users would ever receive the patch.
The other way out to the problem is when the Android users running 4.3 and below versions could receive major updates to Android 4.4 or even 5.0. It might help Google in eliminating the bug. But, since, OEMs are not willing to this form of update, so Google is left without any solution in its hands.
In fact, the situation for Google has turned into the complicated one, because it has developed a platform – for which it has no power to update. Here, Google has to depend upon the OEMs and other network operators to go with its applied source code changes and then sent them out to its users.
This is why, to eliminate such complicated situations, Google in its latest Android Versions – Android 4.4 and 5.0, has pushed more functionality, including WebView into packages, such as Google Play Service and Google Play Store, which can be updated directly by Google.
So, going forward, any bug discovered in WebView can be fixed by Google, but for any issue in the same component of Android 4.3 and below, it will have to be dependent on OEMs and other network operators.
So, this is why Google announced not to provide any security updates for its older software – Android 4.3 and below, which is equally tough for the company as well as the billion Android users.