Google Mobile News

Google explains why it won’t fix a web security issue on older Android versions

Share on Facebook
Tweet about this on TwitterShare on Google+Share on StumbleUponShare on LinkedInPin on PinterestShare on Reddit

A single day had passed with Google revealing a Windows 8.1 flaw when news about a security vulnerability in Android came forth- a serious bug was found by independent researchers and security firms in WebView (a component that allows app developers to expose web content within native apps- like ads at the bottom of a free game)  of Android 4.3 and below.

Well, here’s the cherry on the cake, Google is now saying that it won’t fix it ! And why ? Because the fixing would require OEMs to deliver some sort of firmware- which is, not going to happen here. Rapid7, a security and analytics firm who had identified the flaws- got a reply:

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

That means almost a billion people owning sets of the older Android version, are going to have to live with it- without upgrading to Lollipop.

If you think they’ll eventually get around to doing it, don’t hold your breath. The official stand is that it is no longer feasible to “safely” patch vulnerable Android versions of 4.3 and below. Simply put- the fix will requires hordes of code lines, which will in turn create massive, unmanageable problems- especially since developers are introducing thousands of tweaks to Android OS every month.

WebView support is firmly entwined with the OS of the older versions- hence the code problems. However, Google is offering you solutions as practices which users and developers can adopt to stay safe, and be less prone to malicious hackers.

For starters- the advice is to use browsers that don’t use WebView but still get updates, like Chrome(works for 4.0 and above), Dolphin and Firefox- it runs on the decrepit Android 2.3 and above. App creators are advised to use their own web rendering tech or restrain WebView to encrypted site.

Sound advice, but yes, many users will still have a high probability of having problems. The biggest problem is, we users can’t recognize apps using WebView. It will be an slow, uphill climb till this ‘bug’ is completely eradicated.


Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *