Leave a comment

Google ends critical security updates for a billion Android users

I've got a scary update for Android users. Google has quietly decided to end security updates for a commonly used feature that could leave all users on Android 4.3 and below open to attack. That amounts to about 930 million users.

The feature is called WebView, and it lets apps on your gadget open Web pages without accessing another app. This is a major concern for Android users because WebView has been full of bugs in the past and is a known hacker target. WebView interacts with apps and other features on your phone, so it's a good tool for hackers looking to break into your gadget.

It’s also the favored vector for attack for nearly any remote code execution vulnerability in the mobile OS, according to Rapid7 engineering manager Tod Beardsley.

At the very least, Android 4.3 and below users should know that hackers who want to take advantage of WebView's security holes do have some obstacles to overcome.

Though the component is one of the more tempting targets for Android hackers, attackers would either have to get exploit code onto a web page displayed by a targeted app, or trick a user to follow links then rendered by WebView.

Instead of sending out a warning to users, Google quietly decided to end security updates for WebView on Android 4.3 and below. Google may still push out updates if third-party developers find bugs and create patches themselves, though.

Android KitKat (4.4) and Lollipop (5.0) users don't have to worry about this problem. KitKat is still getting updates, for now, but only 30% of Android users have it.

For Lollipop, Google unbundled WebView from the operating system. That means you can set up automated updates for WebView from the Play Store. That's not helpful for most people, though, because only about 0.1% of Android users currently use Lollipop.

There is something you can do if you're using Android 4.3 or below. Since the feature works by letting your apps open Web pages, you could avoid it altogether by not clicking on links within apps, like news stories posted on Facebook or Twitter. Instead, you could copy the link from within the app and then open it using your gadget's default Web browser or Google Chrome.

And remember, whether you're on your phone, tablet or computer, never click or follow a link from a source you don't know and trust, because it could lead you to a compromised webpage loaded with malware.

Updated 1/13/15 to clarify the impact on Android KitKat
Next Story
Source: Forbes
View Comments ()
Check out the awesome robot toy that won CES
Previous Happening Now

Check out the awesome robot toy that won CES

See GM's new $30,000 all-electric hatchback
Next Happening Now

See GM's new $30,000 all-electric hatchback