A recent request to Google to fix a security flaw in Android got a surprising answer from the tech giant.
It raised questions about the security on older versions of Android.
But what is “older” and should we be worried?
Software Versions & Today’s Tech
Now that we are essentially holding powerful computers in our hands (that simply happen to also make calls) the security of these devices should be pretty important to us. When you add in the ease of access (theft) and amount of data that can be accessed through such devices this becomes essential. Consider the ‘C’ managers and directors on the Google Cloud – all the documents they access and information they can read/edit/distribute – all available on their mobile.
Recent years (since ~2012) have seen a significant development in support and management of software versions in the mobile market is no exception.
It’s an important point that although this article concentrates on Android similar problems exist in all mobile environments – iOS, Blackberry etc.
What is this development? The developers call it “N+1 Support“.
What this means is that developers are only supporting the latest version of an operating system and its immediate predecessor.
Examples of N+1 Support
- Windows 8, Windows 7
- iOS 8, iOS 7
- Android 5 (KitKat), Android 4.4 (Lollipop)
Operating Systems and N+1 Support
Historically OS vendors have been quite understanding of the issues involved in updating. Most normal users cannot upgrade every two or three years at the fastest and less frequently if we can. Thus the vendors extend security support for otherwise obsolete an OS for many years.
A good example is Windows XP. Released in 2001, security support continued until 2014. It is highly unlikely that we will ever see a extended support period that long again (it was in part caused by the unpopularity of Windows Vista.)
But application developers have been struggling with supporting up to four live operating systems and thus have increasingly adopted policies that drop support for older versions, normally as or shortly a new OS version is released.
Evidence is that Google may be adopting this ‘developer’ approach as a vendor with Android operating system updates.
What We know
The Android system and many apps on it rely on a component called WebView to obtain and render Webpages, as the name suggests. A vulnerability in WebView was reported to the Googlers in charge of Android Security.
Their response is shown below but it is essentially being interpreted as a statement that Google are no longer supporting Android version prior to 4.4, KitKat.
If the affected version is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
What We Don’t Know
Google have made no other comment on this or any other security issue. A strict and standing policy of “no comment” means that no information is likely to be forthcoming either.
What is implied by the brief comment above is that Jelly Bean (Android 4.3) and before are no longer supported by Google. If this was another vendor you would check the End of Life date for the operating system.
Alas, Google do not publish Android obsolescence dates. This means we are all left just guessing. This is in stark contrast to, say, Microsoft who give clear indications of when they will cease support for a product.
Should We Be Worried?
Many phones younger than two years old will be running these older versions of Android. What holds it back further is whether the phone manufacture or service provider is rolling the updates out to those specific handsets.
The current “WebView” flaw in Android can be worked around for many users (see below) but the real issue is that there will be more, unknown, undeclared and unfixed flaws as time goes on.
That leaves a major part of the Android community at risk in the future.
This is not a “panic” kind of situation but, exactly like the problems around still using Windows XP, you are more at risk and doing something about sooner rather than later makes perfect sense.
One of my phones was purchased two years ago. Normally speak if not be looking to replace it for another year. It is a Samsung Galaxy S3 Mini. Alas, Samsung have announced that the last supported OS version is the Android 4.1.2 that is already on it. It will not get 4.4 KitKat or 5 Lollipop.
I can work around the WebView problem (see below) but the uncertainty around other, undocumented risks and the kind of data I routinely handle means that I need to err on the side of caution.
Therefore I’ve decided to take the leap and upgrade. Well, get a new phone anyway.
What version of Android am I running?
- On the phone home screen press the Menu soft button
- Select “Settings”
- Select “About Device”
The version of Android is listed here
First thing anyone should do is contact their mobile service provider and ask if an OS update is available for their model or if one will be made available and when. Remember that the upgrade needs to be at least Android 4.4 KitKat.
A workaround for the WebView issue is available.
Installing another non-vulnerable browser into the phone provides an alternative way of looking at web content. If the phone is very old, running Android prior to 4.0 Ice Cream Sandwich, this may be impossible.
There are several browsers available. As Android is a Google project it makes some sort of sense to look at Chrome but if you prefer Firefox and other browsers are also available.
As always take care on the Google Play repository. Many fakes and malicious applications are out there.
Once installed a popup screen alerts the user to a choice of browsers. In this case it is worth selecting your new browser and clicking the “Always” option. This prevents accidentally selecting the old less secure browser. The option marked “Internet” is the old default WebView powered browser.
It is important to note that not all applications will prompt in this fashion but most will.
If an update is not available it is worth seriously considering a phone upgrade. Take into account whether any of the data on your phone is confidential, embarrassing or private etc.
Keep in mind that this new phone may well need replacing in two years. Or possibly less. This must be taken into account when deciding whether a phone is affordable.
Most manufactures update their range once a year.
Rapid 7 “SecurityStreet” Blog