This is the question that users of gadgets running outdated versions of Android OS will start asking
Google and the security of “middle-aged” gadgets. If you are not yet in the subject, then this is the trend that has passed the whole past week.
The issue of security in general, and of mobile and desktop devices in particular, is not new in itself. This topic is discussed hardly every day – despite the fact that rather significant events occur a little less often. Most recently, they were hacking of Sony servers, active US opposition to cyber terrorism, as well as numerous stories and scandals with the mention of malicious codes, antiviruses and others like them. Nevertheless, the outgoing week has become special. As it turned out, users of devices running OS older than Android 4.4 KitKat will no longer receive security updates from Google. In particular, we are talking about holes in the functionality called WebView.
First of all, it is worth understanding what it is, or rather, what WebView is responsible for. This standard Android OS functionality allows developers to implement Internet access directly from applications. From the point of view of the average user, this means that the applications of your gadget – tablet or smartphone – can view the contents of web pages more easily and faster than without WebView. It is interesting that this functionality is not just a convenient feature for itself. At one time, Google actively promoted the use of WebView by developers in their applications. So, how did we come to the conclusion that this functionality received the status of potentially dangerous? It is not so much that WebView is the preferred software tool for accessing Internet content, but rather that it was quickly adopted by attackers as a preferred tool for illegal and unauthorized access to your gadget. And this, in turn, became possible due to the fact that WebView allows you to access almost all services of the Android OS, and through them – to the entire hardware of any gadget.
As a result, the owners of Android, represented by WebView, received not only a convenient software interface for accessing online content, but also a potentially dangerous means of gaining illegal access to a device that requires close attention, protection and regular updates.
So, we come to the heart of the problem. “Where is the update for WebView?” – you can reasonably ask Google. The answer to date is not very optimistic: “It is beyond our responsibility.” However, Google has every reason for such a reaction, despite the fact that Android cannot but fall under the responsibility of the Mountain View company. But Google is now not only part of the solution, but only part of the problem. The fact is that after the release of Android 5.0 Lollipop, Google excluded WebView from the box and made this service available for download from the Play Market. Something like this Motorola did in its time with its “boxed” applications. One of the main reasons in both cases was the need and the possibility of effective and timely updates. The problem with Google in our case is that by releasing an update for WebView, the company is only solving part of the issue. Next, Google needs to notify OEM manufacturers about the update – after all, we receive updates “over the air” from them. After the vendor receives the corrected code, he must make it compatible with his shell, test it and only then offer his customers to receive it on the device in the form of an OTA update. The more customized the shell code is (and it can also be adapted for a specific cellular operator), the more complex and costly the work on the patch will be.
So even if Google will offer OEM developers updates for WebView, it is not a fact that the latter will provide their users with the necessary updates. After all, as we know, vendors almost always stop supporting their devices that are more than two years old.
So, who is to blame for the fact that a considerable number of gadgets running on the Android operating system may become vulnerable to malicious code in the very near future? The question is not entirely correct. Most likely, Google moved WebView into a separate application in order to avoid a similar situation in the future with regard to still relevant devices running Android 4.4 KitKat. For Google, this is the only possible way to keep this threat-sensitive functionality up to date. Unfortunately, this is not possible for Jelly Bean-based devices, so if vendors are not ready to adapt and apply updates to legacy devices, Google may not see the need to deliver these updates to them. As a result, it can be quite real that third-party developers will offer updates. However, a situation in which independent developers from the Android community will solve such problems is even less desirable.
So, the situation is stalemate: Google does not publish “patches”, since OEM manufacturers do not develop updates for obsolete devices on its basis, and OEMs do not express their willingness to cooperate, not seeing the prospects of getting a code fix from Google. Third party solutions are not acceptable.
All this leads us to the idea of what Android is. It is an open source operating system, for key aspects of which, such as security, no one is fully responsible. Quite relevant devices, the support of which has been discontinued by OEM manufacturers, are not just at risk, but will indeed be left without critical updates. There is only one way out: unofficial custom firmware. So far, there is no less pessimistic outlook for Jelly Bean users.