The security expert Todd Bearsley published an interesting blog post on Rapid7 Security Street blog explaining that the Metasploit framework currently includes 11 different exploits for WebView.
“WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.” explain Bearsley in the post.
Security community is aware that WebView in older versions of the Android mobile operating system is vulnerable, exactly one year ago Rapid 7 released the “exploit/android/browser/webview_addjavascriptinterface” module which allows attackers to remotely access on most Android devices.
Unfortunately, about 60 percent of the mobile devices currently in use still relies on the flawed WebView and worst news is that Google is not going to fix it. Google will not develop fixes for WebView issues affecting Android prior to version 4.4 (KitKat), anyway the company will accept patches provided by the research community and will notify any new vulnerability to OEM partners.
“However, after receiving a report of a new vulnerability in pre-4.4 WebView, the incident handlers at [email protected] responded with this:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.” added Beardsley
Even if Google notify a new but to the OEM, 60 percent of end users will still remain vulnerable until a patch will be distributed … and the patch management on a large scale can take a long time.
It must be also considered that different manufacturers distribute their customization of the Android OS, often they include supplementary features and third-party apps for their customers. According to data published by Google on its dashboard, despite Android 4.4 KitKat is on the market since October of 2013, 60 percent of mobile users is still exposed to risk of attack.
“In terms of solid numbers, it would appear that over 930 million Android phones are now out of official Google security patch support, given the published Gartner and WSJ numbers on smartphone distribution).”
We must also consider that the vendors and network providers would prefer that customers upgrade to newer devices, but rarely spend a significant effort to develop, test and deploy fixes for older mobile.
I personally consider the situation concerning because Google is not able to control the entire supply chain for the updates to its Android OS exposing hundreds of millions users to security risks. Another factor that aggravates the situation, is the increasing number of cyber threat to the mobile industry and their level of sophistication.
Other companies like Apple and Microsoft, in contrast, have a direct control on the distribution of the updates for their mobile operating systems.
Bearsley has also provided an interesting reflection on the “Economics of Upgrading”, actually we have several mobile handset on the market with substantial differences in their prices. Unfortunately, the large portion of users is not able to spend much more of $100 so it has no other choice but to buy “legacy” Android devices.
“Beside the installed bases, I posit that the people who are currently exposed to pre-KitKat, pre-Chromium WebView vulnerabilities are exactly those users who are most likely to not be able to “update to the latest version of Android” to get security patches. The latest Google Nexus retails for about USD$660, while the first hit for an “Android Phone” on Amazon retails for under $70. This is a nearly ten-fold price difference, which implies two very different user bases; one market that doesn’t mind dropping a few hundred dollars on a phone, and one which will not or cannot spend much more than $100.
Taken together — the two-thirds majority install base of now-unsupported devices and the practical inability of that base to upgrade by replacing hardware — means that any new bug discovered in “legacy” Android is going to last as a mass-market exploit vector for a long, long time.” said Bearsley.
Security researchers have noticed a growing number of attacks on mobile platform and the availability online of tools and platform that are able to exploit the flaws already disclosed for Android devices.
Let’s hope Google will reconsider its approach for “legacy” Android OS … their security is everyone’s responsibility.
(Security Affairs – Google, Android)