In brief: Google’s decision not to patch a security hole in versions of Android used by hundreds of millions of consumers is a bad omen for the Internet of Things and will likely push some Android users to alternative versions of the operating system.
Google is having its way on the issue of security patches these days. The company has twice made waves for rival Microsoft by disclosing information and proof of concept code for vulnerabilities in Microsoft’s Windows. This, much to the consternation of the Redmond, Washington-based Microsoft, which prefers to work privately with security researchers to fix security holes before their details are publicly disclosed.
When it comes to security holes that affect its own software, however, Google indicated this week that it is pursuing a decidedly “hands off” policy: declining to expend its own resources to fix a reported vulnerability in WebView, a critical component of the Android mobile operating system, for versions off Android prior to Android 4.4 (a.k.a “KitKat”). The decision leaves the bulk of Android users – some 60%, or more than 900 million consumers – vulnerable, according to a post by security researchers at Rapid7, who first reported the security hole to Google.
To be clear, the latest decision appears to apply only to WebView, an Android component that is used to render web page content. Other components of Android prior to the “KitKat” versions will continue to be patched.
So why WebView? According to Rapid7, Google is making it policy to stop supporting third party devices that run Android and use the built-in Android browser. (Google did not respond to requests for comment prior to publication.)
This is likely a result of the fact that many threats and attacks are coming via the web. It makes a kind of sense to insist that third party devices that do offer web browsing upgrade to the most recent Google code.
But it also ignores the fact that a majority of Android users haven’t upgraded to KitKat and, in fact, have no easy path to doing so, short of getting a new Android mobile device.
As we’ve noted before, the Android ecosystem is fragmented. Despite being the dominant mobile operating system in the world, Android is still just another open source project. Google maintains the core operating system components and has been responsive in patching security holes for supported versions of it. But third parties – handset makers, mobile carriers, device makers – are free to modify Android to suit their needs, and do so -to the detriment of security.
In contrast to Apple’s iOS, most Android users get along on versions of the operating system that are months -if not years – behind the most recent version. And, because it is at the discretion of both handset makers and carriers to issue updates for their platforms, many of those devices are never patched.
But Google’s policy of supporting only the most recent versions of Android may be a harbinger of things to come on the “Internet of Things.” Android already powers a wide range of devices, from smart watches to Amazon’s new Fire TV and home appliances like ovens. The company is also moving aggressively to have Android used as the operating system for in-car entertainment and networking.
The debate about the fix for WebView raises troubling questions about how those devices -and other, more critical systems – will be supported. That’s especially true for devices with useful lifespans measured in years, if not decades – not the 18 to 24 month lifespan common for smart phones.
“This is yet another thing that’s going to make open source technology look insecure,” said Ron Gula, the CEO of Tenable Network Security. “We had Heartbleed, and then Shell Shock. Now we’re hearing that there’s a security problem in Jellybean that isn’t going to get fixed.”
Gula gives Google high marks for communicating its intentions regarding Android. However, he said questions linger about what the company’s long term strategy is. “The truth is that the version of Android that most people have in their hands is not the same source code as Google releases. Its very different from phone to phone.” Even though Google has done a good job keeping the core operating system secure, downstream firms often introduce vulnerabilities as they modify it. And, unlike Apple and iOS, Google lacks the ability to enforce standards of security on those downstream customers, Gula said.
He said the problem is like to recur in other areas of the Internet of Things. Device makers are making heavy use open source code to keep development costs low and speed time to market. But that code often proves to be insecure or poorly maintained.
Zach Lanier, a co-author of The Android Hackers Handbook and a senior research scientist at Accuvant Labs said that Google’s hands-off approach may increase interest in- and demand for Android variants CyanogenMod or Linaro’s Android builds. “I think you’ll find that people start switching to take advantage of the community patches for platforms like CyanogenMod,” he said. Alternatively, Android OEMs like Samsung may issue patches for their own ecosystem of devices that reach farther back than Google is willing to go, Lanier said.