Some time ago We indicate in Android Help that a security issue in basic browser which is included in devices with the Google operating system with versions 4.3 or earlier. And, the truth is that it seemed that the Mountain View company was working on its solution ... something that finally seems that it is not.
This failure originates in WebView, the component that allows you to display web content within applications and in the native browser based on WebKitVarious sources from the Android security team have indicated that there are no plans to fix it in those old compilations: keeping so many variants would mean version-specific patches and touch million lines of code, with the risk of introducing new problems.
The truth is that the effects of the "hole" of the WebKit-based application are potentially dangerousSince if you access a page that contains the specific code, JavaScrip code may be executed, the device's cookies read, and even the device's passwords to be read without permission.
A surprising answer
The point is that the developer who detected the security problem, Rafay baloch, communicated the problem detected to Google and, to its surprise, has received a reply from the Mountain View company in which it is indicated that they will not invest their resources in solving the problem that exists and that leads to the manufacturers themselves. search for the corresponding solution.
In line with that position, Android security officials have explained that “Keeping the software up to date is one of the biggest challenges.” and that “it is not practical in the long term” patch the legacy browser engine on every older variant of the system. The justification adds that the affected engine is obsolete, and that the priority is focused on modern browsers with continuous updates (like Chrome) and in recent versions of the system, where WebView was separated and receives improvements through its own channel.
This may make perfect sense, since we're talking about Jelly Bean, which has been around for years. But the truth is, that this distribution remains the most used at present, hovering around almost 50% of the quota Android devices (ahead of KitKat, for example) and, taking this into account, the detected problems should be taken much more seriously since the potential number of affected terminals can amount to hundreds of millions - if not more. Therefore, it is an unfortunate attitude if the published information is confirmed.
Waiting for solutions
If you are one of the users who are affected by the security problem since you use Android 4.3 and the default browser (or one adapted from the manufacturer of the terminal), the truth is that you will have to wait for a personalized solution to arrive on your device . This may be possible or, it may not be so, so we are going to tell you recommendations that will allow you to be more than calm when using your mobile device:
- Always access to trusted pages
- Don't run third-party files of which you have doubts and try to install or download automatically
- Use a browser other than the one that comes by default on the device, such as Firefox, Chrome or Dolphin
- Disable the native browser if the system allows and establishes it Chrome or Firefox as default to open links.
- Avoid opening embedded content in apps when you can and force open in browser safe external.
- Keep all apps updated from its official store to reduce attack vectors.
- Take extreme caution in public Wi-Fi networks and avoid logging into critical services from your old browser.
- Check the app permissions that integrate WebView and uninstall those that are not essential.
For many experts, the impact is relevant because attackers can exploit the legacy browser more easily. If you're using a version with a vulnerable WebView, it's best to migrate to a modern browser that do not depend on the affected engine and receive frequent patches through the store.
If your device does not have access to the Play Store, check the official stores of the manufacturer or your device vendor to get updated browsers; avoid installing APKs from unverified sources, even if they claim to “fix” the problem.
Application developers can also mitigate risks by limiting the use of WebView to encrypted and trusted pages, or delegating the opening of links to modern external browsers when the user's environment is potentially vulnerable.
Finally, if the operating system of your phone or tablet is Android KitKat or higherYou can rest assured that the security issue detected does not exist with them, and Google has no intention of solving it for the time being.
Source: washington street journal.
The decision not to patch older versions shifts the responsibility onto manufacturers and users: with good practice, modern browser and by avoiding the native browser, it is possible to significantly reduce exposure until an updated device or system is available.