Google Nixes Patches for 930 Million Android Users

Life is about to get a lot more difficult for Android users running older versions of the mobile operating system. Google has decided not to develop patches for Android 4.3 and earlier versions, according to a security researcher. That decision could leave 930 million Android users vulnerable to new exploits. The issue hinges on vulnerabilities found in WebView, a core component of the Android operating system responsible for rendering Web pages. WebView was discontinued in Android 4.4 (KitKat), but is still found in Jelly Bean and earlier versions of the OS.
Hundreds of Millions of Users at Risk
The news comes via security researcher Tod Beardsley, who works on the Metasploit project, a security testing framework. According to Beardsley, Google responded to an e-mail addressed to its Android security team about a recently discovered vulnerability with the news that exploits in versions prior to WebView 4.4 would no longer be patched. However, Beardsley said Google also told him it would continue to develop patches for other components of Android versions prior to 4.4.
According to Google’s own numbers, that decision would leave the majority of Android users in the wind with regard to future vulnerabilities. More than 60 percent of Android device users are running either Jelly Bean or an earlier version of the OS. KitKat, which was first released in October 2013, is used by only 39.1 percent of Android devices. Beardsley wrote that those numbers would indicate that more than 930 million Android devices are no longer being actively supported by Google.
And although Google released another Android update, “Lollipop,” this past November, almost no one is using it. Users complaining about the latest version of the mobile operating system have said that it is so bad it renders multi-tasking almost impossible.
Opening the Floodgates to Exploits
Rather than develop patches itself, Google is inviting researchers who report new vulnerabilities in WebView to develop such fixes, at which point Google would incorporate them into the Android Open Source Project and distribute them to third-party partners. The company said it would also alert its OEM partners to such vulnerabilities, but would take no additional action.
Some users can avoid the vulnerability by upgrading to KitKat. However, with a suggested minimum memory of 512 MB of RAM, not every device will be capable of running versions newer than Jelly Bean. That could force users to upgrade their handsets as well.
Many users are also not likely to take such steps, however. Buying a new Android device can cost more than $600. Additionally, device makers, such and Samsung and Motorola, are less likely to develop patches of their own for the customized versions of Android being run on their handsets if Google doesn't take the lead. As a result, many future vulnerabilities in WebView are likely to go unaddressed for a very long time, opening the door to a swarm of mass market exploits, according to Beardsley.