Some of the world’s biggest publications including the Wall Street Journal and Forbes are running a story about how Google is no longer fixing security bugs in older versions of Android. The prize for the most sensationalist headline probably goes to Forbes for “Google Under Fire For Quietly Killing Critical Android Security Updates For Nearly One Billion.”
A headline about critical security updates that aren’t going to be available for nearly one billion devices is enough to worry even the most non-technical of people. With publications like the WSJ and Forbes pushing out this story, I think we can officially call this a “scare.”
It all started with a post by Tod Beardsley on the Metasploit blog. Metasploit is a tool that security experts use to test different computers and devices to see if they are susceptible to security vulnerabilities. The Metasploit tool has a large following in the security world and it garners a huge amount of respect. Tod Beardsley himself is a respected engineer with years of experience working in the security industry. He has often been a speaker at security conferences and is a member of the IEEE.
The whole business of distributing patches downstream is a whole other problem that needs to be addressed.
For example, if you use a RSS reader that relies on using WebView as a way to read the full story from an item listed in an RSS feed, then it would be possible for an attacker to get a story published that takes users to a malicious site. The mini web browser in the RSS reader could then be exploited, if it is vulnerable.
Beardsley does some maths and demonstrates that some 930 million Android devices are no longer receiving any security patches from Google. Everything that Beardsley has written is factually correct and the threat is real. “Without openly warning any of the 939 million affected, Google has decided to stop pushing out security updates for the WebView tool within Android to those on Android 4.3 or below,” wrote Thomas Fox-Brewster for Forbes.
But the situation isn’t as black and white as Beardsley and Fox-Brewster are suggesting. Ask yourself this question, when was the last time that Samsung, or HTC, or LG posted an update for devices running Android 4.1, 4.2 or 4.3? Obviously, I am unable to keep track of every update pushed out by every company in the world, so I am sure there will be some exceptions to this, but the answer is – rarely.
Even if Google does continue support, would the devices even get it?
So even if Google fixed the source code in Android 4.3, the chances of it arriving on an actual handset are quite small. One of the first comments on Beardsley’s post was by dr.dinosaur who wrote, “Even if Google does continue support, would the devices even get it? As you mentioned, getting updates on these old devices is not an easy process as it has to get approved by the manufacturer, approved by the carrier, pushed to the device itself, and downloaded and installed by the user.”
Tod acknowledges this with a follow-up reply, “The whole business of distributing patches downstream is a whole other problem that needs to be addressed. That said, if the handset manufacturers or the carriers weren’t picking up Google-sourced patches before, I somehow doubt they’ll be faster to pick up patches from Some Guy On The Internet…”
What is really broken with Android is not if and when Google supplies patches for Android, but the 'whole business of distributing patches downstream.'
And his point is valid in that OEMs are unlikely to pick-up security fixes to AOSP that have been published by random people on the Internet. But he also points out that the handset manufacturers weren’t picking up Google-sourced patches anyway. What is really broken with Android is not if and when Google supplies patches for Android, but the “whole business of distributing patches downstream.”
Google has done a lot to address this problem over recent years. Firstly it started de-coupling various components and services from the main Android build and offering them as updates via the Play Store. For Android 5.0 Lollipop, Google has also unbundle the WebView component and is offering that as an automatic update from the Play Store. That should stop the current situation with Android 4.3 occurring in the future.
Second, Google has various programs like the Nexus range and Android One, which allow people to buy handsets which get updates directly from Google. The result is that the downstream update model is slowly changing. It isn’t perfect by a long way, and while the OEMs and carriers remain slow in updating devices then the potential for this kind of problem still exists.
If you are using Android 4.x then you should consider installing a browser like Chrome or Firefox to do you main mobile browser
It is also worth mentioning that alternative firmwares, like Cyanogenmod, probably pick up the fixes from Google quicker than the OEMs. So technically anyone running CyanogenMod 10.x will no longer get any security updates unless a non-Google engineer patches the the AOSP or Cyanogenmod code for known vulnerabilities.
If you are using Android 4.x then you should consider installing a browser like Chrome or Firefox to do your main mobile browsing, rather than using the built-in browser. This will at least ensure that you are protected from known vulnerabilities when surfing the web, regardless of what patches are available for your version of Android. If you use an app that opens up a WebView to connect to the Internet then you should consider finding an alternative, unless the app only accesses some limited hard-coded URLs.