TR Member Perks!

Android Operative Systems, use a core component called WebView to render web pages. Due of its nature, this component is predictably under constant scrutiny from security experts to locate possible risks and vulnerabilities to be reported to Google. Tod Beardsley, Rapid7’s security researcher and member of the Metasploit project, posted that one of these reports was followed by Google’s incident handlers stating that the newfound vulnerability won’t be patched since it concerns a version of WebView prior to the 4.4 (or KitKat):

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

Beardsley says, after some back and forth with the incident handlers, that the reason that brought Google to the decision of not develop more patches for 4.3 and prior versions of WebView is that they “no longer certify 3rd party devices that include the Android Browser”. Or, in other words, it’s just too old.

That makes sense actually. The current latest version of Android is the 5.0 (Lollipop). Prior to that there is the 4.4 (KitKat). Google is, then, dropping the patches for versions of WebView that are at least 2 versions older than the current one. Considering that some vendors drop support for the older version of a software piece as soon as the new one is out, this should not surprise anyone. But Android is an exception to the rule.

Android Version Statistics

Google’s version distribution statistics as of 5 january 2015

At this moment, the most used Android OS version, is Jelly Bean. Lollipop is installed on only the 0,1% of the Android devices currently on the market while KitKat is installed on 39,1% of devices. This leaves out more than 60% of Android devices that will now not receive support and patches on WebView. That means that 930 millions of devices are vulnerable to new security risks (including the one Beardsley got his response for) and will not get security patches unless a third party decides to go ahead and develop one.

For software companies, support of legacy systems can be really resource consuming and more often than not hardly justifiable. That said, when almost two out of three users use one of these systems, it’s hard to back the decision of dropping the support.

What you think of Google’s decision? Do you use an older version of Android? Are you worried by the lack of future patches? Let us know in the comments.

Luigi Savinelli

Staff Writer

Gamer since I can remember and now writer for your enjoyment. Can't say more. Those games will not play themselves

  • Chris Leudard

    Well thats very shitty of them.
    Android 4.1.2 here, and not planning to get a new one after this if anything happens to it.

  • It’s not really Google’s fault that other manufacturers heavily modify the OS so patching is difficult. If that wasn’t the case, updates would be easy.

  • Len Firewood

    Very shitty indeed considering in most cases you don’t have the option to update the OS as you do on many other devices.

  • Adam Higerd

    (Full disclosure: Google employee, but not on the Android team.)

    Don’t blame Google. Security patches and OS upgrades have always been available. It’s the OEM’s fault for not shipping updates. I’ve been using Android since 2.2 (in other words, since way before I ever knew I’d even have a chance at working at Google) and the updates that Google HAS put out have ALMOST NEVER ended up on my phone because the phone manufacturers don’t care. So even if Google DID keep supporting 2.3, 3.x, and 4.0-4.3, the vast majority of consumers WOULD NEVER SEE IT. It’d just be a waste of Google’s manpower.

    My last phone was stuck on 2.3.5. Never mind that 2.3.7 was readily available FOR FREE to any manufacturer that wanted to use it. There were bugs fixed in 2.3.6 that I had to deal with, not because Google didn’t fix them, but because the phone manufacturer didn’t bother making any updates. And third parties can’t really do anything about it either except on the most popular phones, because dealing with the drivers is a serious pain. (I tried flashing a third-party Ice Cream Sandwich build onto that phone and the hardware compatibility was so bad that most of the hardware keys stopped working right.)

    Don’t blame Google. Blame Samsung. Blame Motorola. Blame LG. (ESPECIALLY blame LG.) And take a good look to see if you should blame your carrier, because it’s not unheard of for one carrier’s phones to get updates and another carrier’s phones of the same model not to get them.

  • Adam Higerd

    The patching isn’t the only big deal. It’s also the hardware drivers.

  • That’s another issue yes. By using OEMs with closed binary blobs, it makes driver patching very difficult.