Android Jelly Bean (4.1) was first announced at Google I/O on June 27, 2012. The first device to run Jelly Bean, the original Google Nexus 7, followed later that summer. Despite now being over two years old, Jelly Bean can still be found on 46% of Android devices. Given how prevalent it remains, one would assume that security updates for it would remain a priority for Google but that no longer appears to be the case.
The team behind the Metasploit security tool recently reached out to Google with some new Android WebView exploits it found in Android 4.3 and older versions. WebView is used to render web pages and is therefore a key component of Android and apps that leverage it to display content. Whereas Google had been “pretty quick with a fix” in the past, this time, they told the team that they would not provide security patches for the new vulnerabilities. The best they will do is to notify OEMs. According to an email received by Metasploit:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
The only hope for users of Jelly Bean and older versions of Android is that third parties will patch said vulnerabilities and submit them to Google. In such cases, Google will “welcome” the patch and may take additional action at that point. Oddly, it appears that Google will continue to back-port patches for other pre-KitKat components, such as the multi-media players.
It’s not clear why Google has decided to stop supporting some components of older versions of Android. Given that vulnerability details are often published online, it is not inconceivable and in fact very probable that we will see exploits take advantage of these security issues to compromise older Android phones.
Is Google tempting fate by taking such an approach? Or should users simply accept that Jelly Bean is now more than two versions old and that Google does not need to support any longer? Let us know what you think.
Sources : Rapid 7 // AndroidandMe