Google Inc. has stated that it will no longer provide patches for Android vulnerabilities found in older versions...
of its mobile platform software, potentially leaving hundreds of millions of devices at risk. As a result, experts say, security professionals are left with questions about possible fixes or options to safeguard enterprise data.
A recently released report from Tod Beardsley, a security researcher at Boston-based vendor Rapid7 LLC, revealed that Google will no longer provide patches for known WebView vulnerabilities found in Android versions 4.3 and older.
WebView is a core component of the Android operating system, used to render Web pages in the stock Android Browser as well as within apps that display Web content. The official Android 4.4 KitKat change log shows that this component was updated with a newer Chromium-based version of WebView, which Beardsley said is not susceptible to the same flaws as older versions.
According to statistics found on Google's Android developers dashboard, as of the beginning of January, about 61% of Android devices in the wild run version 4.3 or older. CSS Insights estimates that 2014 alone saw 1.28 billion smartphone shipments, and IDC states that Android held approximately 83% of smartphone shipments throughout the year.
While it is unclear how many total active Android devices there are in the world, with more than 1 billion Android devices shipped last year alone, there is the potential for hundreds of millions of devices that will no longer receive WebView security updates and therefore may be at risk.
In a comment to SearchSecurity, Google said its process for providing security updates puts priority on Android vulnerabilities in Nexus devices, which are often running the newest version of Android, and protecting future versions of the OS. In the case of vulnerabilities found in older versions of software, Google will "work with OEMs to communicate when older versions of Android for which they still have devices running require updates." Google also told Rapid7 that it generally doesn't develop patches for versions of Android older than 4.4, but will accept patches submitted to the Android Open Source Project (AOSP). Because Android is open source, any developers could create a patch and submit it to AOSP, including OEMs.
What the WebView flaws mean for enterprises
According to Liviu Arsene, a senior e-threat researcher at Romaina-based antimalware firm Bitdefender, enterprises shouldn't take the WebView issue lightly.
"If it remains unpatched, this WebView Android vulnerability can have serious consequences for a wide pool of Android users," Arsene said.
Nicko van Someren, chief technology officer of Sunnyvale, Calif.-based mobile security vendor Good Technology Inc., noted that any app running the old code could be compromised only by controlling what WebView displays. He also warns that if the WebView exploit is performed within an app with more far-reaching permissions, that app can become "a launching point for other attacks."
Beardsley describes the potential risks in terms of enterprise data, saying that a WebView vulnerability can lead to a compromise of the entire pseudo-SD card storage system, as well as saved session cookies and passwords. It can even lead to the mingling of trusted content with untrusted external content if the user is using a vulnerable browser, or using a custom app that renders in WebView, he added.
According to Dan Dearing, vice president of product and solutions marketing at San Jose, Calif.-based mobile security vendor Pulse Secure LLC., most enterprises have adopted a bring your own device (BYOD) policy, meaning that the number of vulnerable Android devices may vary widely from company to company. Beardsley reported that he still found about 20% of his colleagues using Android 4.3.
Because of the prevalence of BYOD policies, Dearing said that it can be a struggle for organizations to deal with the Android fragmentation problem of wide variation of Android software versions from device to device, and in turn, keeping up with each new vulnerability can be challenging. A better approach, he said, would be to find a way to make Android security more predictable and consistent.
Mitigate the risk of Android vulnerabilities
According to many experts, the easiest way to mitigate the WebView risk is to make sure that any Android devices are updated to the newest OS software, but that is far easier said than done.
"Short of making sure the entire workforce has a current phone with a recent OS, there is no cure-all for this sort of risk, but it can be reduced," Van Someren said.
Arsene noted that not all organizations have the resources for a mobile device management (MDM) product to mitigate such risks or to provide devices to employees that have updated software. Dearing said one possible solution is to enact more prescriptive BYOD device requirement policies regarding what Android devices are acceptable. Companies could even encourage employees to purchase newer hardware will necessarily mean that devices are running newer software with less vulnerability.
However, Dearing also warned that employees will often push back against these sorts of prescriptive policies because they take away freedom in purchase decisions of personal devices, making the policies less effective.
In an organization with resources dedicated to mobile device security, experts said thatthe COPE model (corporate-owned, personally enabled) is a better fit. This would mean that the company provides the device to the employee, but "enables" personal usage of the device, like posting to social media or playing games. The hope is that employees have the freedom to use devices as they wish, but ultimate control still resides with the company.
Arsene said that it can even be more cost effective to replace obsolete devices, in order to keep hardware and software updated. Though he warned that with this strategy, it is important that replacing obsolete devices is performed, "in tandem with an MDM solution that can perform policy enforcement and mange devices based on an employee's status in the corporate directory system."
A key to that MDM is to make sure that Android devices in an organization utilize enterprise mobility management (EMM) software. There are various options in the EMM space, but an important feature, according to van Someren, especially in regards to an Android vulnerability such as that in WebView, is to have software that creates a "secure container" for enterprise data on a user’s device, keeping it separate from personal data, and theoretically more secure. Van Someren said, "Securing the device is not enough -- it's securing the data that is critical."
Within the COPE model, this could mean providing devices that include Samsung KNOX; but, there are options for those who want more flexibility, including Pulse Secure and McAfee EMM. Google has also added EMM frameworks called Android Work into the newest release of Android, version 5.0. Android Work is based on Samsung's KNOX software; Dearing describes it as more of a step in the right direction than a true enterprise-ready technology.
There are many considerations when choosing the right EMM provider, but it should be noted that EMM software is not a perfect solution. According to Arsene, EMM software that enables secure containers has "obvious benefits" like isolating applications from malware or intruders, or allowing IT to perform remote action, but there are drawbacks. The most obvious drawback is that not all organizations have MDM systems in place, and "may not have the infrastructure to support this approach."
"Sandboxing may help protect certain apps, but files created by the user on their own device may not benefit from the same protection," Arsene said, adding that it can also cause compatibility problems and break some app functionality, like access to photo galleries or contact lists.
The rise of the BYOD model, the experts said, has made it necessary for organizations to find a way to mitigate the risk posed by unpatched Android devices. Arsene and van Someren agreed that there is no perfect method for securing out-of-date Android devices, but ignoring the risk isn't viable, and waiting for updates or patches may not be viable either.
They said that there are pros and cons to the available options that allow organizations to have more consistency with Android, and to better control devices, particularly with balancing sound security policy with the freedom users have come to expect from mobile devices.
"There really are no cons to having more security, or an all-encompassing EMM strategy in any organization," van Someren said.
Learn how to balance BYOD risks and rewards