Google Has No Plans To Fix Web Security Issue For Older Android Versions

A single day had passed with Google revealing a Windows 8.1 flaw when news about a security vulnerability in Android came forth- a serious bug was found by independent researchers and security firms in WebView (a component that allows app developers to expose web content within native apps- like ads at the bottom of a free game) of Android 4.3 and below. According to a report by The Wall Street Journal, Google is no longer fixing bugs in the default browsers for Android versions 4.3 and earlier.

"Keeping software up to date is one of the greatest challenges in security," Adrian Ludwig wrote. Because the browser app is based on a version of the WebKit browser engine that's now more than two years old, fixing the vulnerability in Android Jelly Bean and earlier versions is "no longer practical to do safely," he wrote.

Reasons For Not Fixing The Problem
According to the officials of the company at this stage conducting any major changes required to fix the bug would not be safe. Solving the issue requires a large number of code lines, which in turn will create massive problems. This is especially true because programmers constantly make innumerable small changes in Android OS every few days. This decision of the company has placed the large number of users of the older versions of Android in a dilemma. It is true that the majority of Android users all over the world are using these older versions. A small percentage is using Android 4.4 Kitkat and the percentage of users using the recently launched Android Lollipop is barely 0.1%. Jelly bean remains the favorite among Android users.

The consequence of having so many people running so many different versions of the same operating system is that it becomes far more complicated to protect them, wrote Tod Beardsley, an engineering manager at security firm Rapid7. "Unfortunately, this is great news for criminals for the simple reason that, for real bad guys, pretty much everything is in scope," he wrote in a blog post.

The consequence of these facts is that a large number of Android users are left vulnerable to hackers who target millions of smartphones and tablets every year. According to Adrian Ludwig, head of Android security, one of the biggest challenges faced by software companies is keeping it up to date as far as security is concerned. This is because the browser app is based on a version of Webkit browser engine, which is two years old now. It is no longer practical to safely fix the vulnerability in Android jelly bean and earlier versions. According to experts is not usually feasible for users of Android jelly bean to upgrade their software wholesale unless the update is offered by the device maker or wireless provider.

Instead of using stock Android browser, using browsers that don’t make use of WebView and which get regular security and performance updates, like Chrome and Firefox may help to prevent WebView related exploits. But many Android users are not aware of these alternatives and use pre-installed stock browser. Again to use Google Chrome browser minimum Android version is required, Android 4.0. Though for Firefox the minimum requirement is Android 2.3, but many ‘not so tech-savvy’ users are not familiar with Firefox for Android (may be because of its limited exposer in PC world). Again many Android apps use WebView to display web contents and there isn’t any simple way to tell (unless you are a developer or well aware of it) whether an app is utilising Webview.

Labels: ,