As if Google wasn’t already getting enough criticism from Microsoft and security experts for revealing a vulnerability in Windows 8 to the public, the company is now being lambasted for its own software policy. Android users, who don’t have the KitKat or Lollipop version on their handsets and tablets — about 939 million devices — are affected by a vulnerability in Android WebView. Google was made aware of this vulnerability several months ago, but it insists on not providing a patch for old versions of Android.
According to Tod Beardsley, a security researcher at Rapid7, Google has stopped developing patches for pre-KitKat WebView bugs in Android. Many security experts have reported a number of bugs in the past few months, but Google has refused to offer a fix, leaving it up to the OEMs and independent developers to do it themselves.
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch,” Google told Beardsley.
The vulnerability has been found in Android WebView, a core component in Android 4.3 and lower. It allows apps to display web pages without having to open another application. This is one of the reasons why it is so concerning as it interacts with other Android services, leaving all of them vulnerable.
Google replaced it in Android KitKat, as a result of which, any version of Android on or above KitKat is not vulnerable to WebView bug. However, most Android users aren’t on KitKat or Lollipop just yet. According to the Google’s latest Android distribution figures, about 60 percent of Android devices run Jelly Bean or lower version, and less than 40 percent use KitKat and while not even 0.1 percent use the latest Lollipop version.
“Google’s reasoning for this policy shift is that they ‘no longer certify 3rd party devices that include the Android Browser’, and ‘the best way to ensure that Android devices are secure is to update them to the latest version of Android’,” Beardsley wrote. “On its face, this seems like a reasonable decision. Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds.”