티스토리 뷰

Articles

Android WebView exploits: Google explains lack of patches and advises users to switch browsers

af334 2015. 1. 27. 21:07

Users of pre-Lollipop versions of Android advised to download Chrome or Firefox web browsers from the Google Play store


One of Google's Android security experts has explained why the company has stopped providing patches for some exploits in early versions of the software, and advised users of those versions to switch to the Chrome or Firefox web browsers on their devices.


News that Google had stopped providing patches for exploits in the WebView technology that rendered web pages on devices running versions up to and including Android 4.3 "Jelly Bean" emerged earlier in January


The company's new policy was to implement patches if they were provided by security researchers who'd discovered new security loopholes in the technology, or to pass their research on to device manufacturers for them to implement


Adrian Ludwig, who works on Google's Android security team, addressed the issue in a post on the company's Google+ social network, explaining the challenges of providing security patches for older versions of WebView and the WebKit technology used for web browsing on Android


"WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two plus year old branch of WebKit required changes to siginificant portions of the code and was no longer practical to do safely," wrote Ludwig


"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices"


According to Google's own stats, 60.9% of Android devices currently in use are running Jelly Bean or earlier versions of the software. That number may be shrinking, but it's still the majority of Android users. If you're one of them, Ludwig has some useful advice on how to ensure your web browsing remains secure:


"Using a browser that is updated through Google Play and using applications that follow security best practices by only loading content from trusted sources into WebView will help protect users.


When browsing on any platform, you should make sure to use a browser that provides its own content renderer and is regularly updated. For instance on Android, Chrome or Firefox are both great options since they are securely updated through Google Play often: Chrome is supported on Android 4.0 and greater, Firefox supports Android 2.3 and greater."


It's important advice, because Android users vary so much in their technical knowledge and upgrade habits. Less tech-savvy users who haven't upgraded their smartphone for three or four years may require a nudge to switch web browsers






may require a nudge to switch web browsers

less tech-savvy users who haven't upgraded their smartphone

vary so much in their technical knowledge

is supported on Android 4.0

are both great options since they are securely updated through Google Play often

for instance on Android

is regularly updated

provides its own content renderer

follow security best practices by only loading content from trusted sources into WebView will help protect users

is updated through Google Play and using applications

currently in use are running Jelly Bean

according to Google's own stats

is shrinking every day as more

potentially affected by legacy WebKit security issues

the number of users that are potentially affected by legacy WebKit security issues

was no longer practical to do safely

required changes to significant portions of the code

in some instances applying vulnerability patches to a two plus year old branch of WebKit

are adding thousands of new commits every month

is over five million lines of code

the challenges of providing security patches for older versions of WebView

addressed the issue in a post on the company's Google+ social network

works on Google's Android security team

to pass their research on to device manufacturers for them to implement

discovered new security loopholes

were provided by security researchers who'd discovered new security loopholes in the technology

the company's new policy was to implement patches

emerged earlier in January

rendered web pages on devices running versions up to

had stopped providing patches for exploits in the WebView technology

has stopped providing patches for some exploits in early versions of the software

advised to download Chrome or Firefox web browsers from the Google Play store

explains lack of patches and advises users to switch browsers






저작자표시 비영리 변경금지

'Articles' 카테고리의 다른 글

The Pirate Bay set to return on 1 February  (0) 2015.01.28
Facebook not hacked : server error takes social network offline  (0) 2015.01.27
WikiLeaks demands answers after Google hands staff emails to US government  (0) 2015.01.27
Kim Dotcom launches end-to-end encrypted voice chat 'Skype killer'  (0) 2015.01.26
What happens when most of China visits your website? It dies a horrible death  (0) 2015.01.26
공유하기 링크
댓글
반응형
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
TAG
more
«   2024/11   »
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
글 보관함