Google Throws Microsoft Under Bus, Then Won't Patch Android Flaw

An anonymous reader writes Last month, Google took the bold steps to release the details of a security vulnerability ahead of Microsoft. Microsoft responded and said that there was a patch in works which was set to be released two days after Google went live with the details. Microsoft accuses Google for refusing to wait an extra 48 hours so that the patch would have been released along with the details of the exploit. Now, let's see what is happening on the Google side of software development. Recently, an exploit has been uncovered in the WebView component of Android 4.3 — estimated to cover roughly 60% of Android install base — and Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases. It would appear that over 930 million Android phones in use are out of official Google security patch support.

Makes sense.

Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.

Re:Makes sense.

[MachineShedFred]

And somehow this is an acceptable situation?

"Too fucking bad buy a new phone" is not a proper response for a gaping security flaw. I hold Google accountable, as well as the handset manufacturers.

Re:Makes sense.

[Rich0]

I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all. Phones can have security vulnerabilities like anything else - it is just a matter of time before we start seeing exploits.

They're doing a better job with ChromeOS, with a 5 year support pledge. Ironically that still isn't as good as Windows (10yrs from obsolescence vs 5yrs from introduction). If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.

Re:Makes sense.

[ichthus]

I totally agree. Google could patch it, but it would then be up to the various manufacturers to push it out (Samsung, et al.) But, despite this, Google should still patch it, for PR's sake.

Re: Makes sense.

[binarylarry]

This is a hit job from a shitty windows enthusiast website (neowin.net).

Do not click any links!

Re:Makes sense.

You forgot the carriers.

They're probably the worst offenders of all, as holding back an update means they can use "comes with the latest OS!!" as a selling point on their merchandise.

Re:Makes sense.

[sshir]

No, you simply didn't get the point. Google can't push the patch to those devices (unless they are from Nexus line). Samsung, LG, etc. must do the pushing. But they wont.

Re:Makes sense.

Google has fixed the vulnerability in later revs.

You sir are a twat - Google doesn't control deployment of fixes or updates, your service / hardware provider does.

If you want Google to control your versioning, then buy a Google product.

Buying an AT&T or Verizon product running Google's Android OS, leaves you at the whims of AT&T and Verizon as to when or even "IF" you get the updates.

The same thing holds true for all products running Android - the company that the products are manufactured for control the delivery channel.

Would it be nice if Google could *FORCE* companies like AT&T, Verizon, T-Mobile and Sprint to upgrade the OS on the devices they sold? Hell yes, but that's not going to happen because then these big asshole companies wouldn't sell as much product if people got the latest features on aging handsets and tablets.

Re:Makes sense.

[gstoddart]

Not being able to patch an older system that could be patched, that makes sense to you?

I'll never understand the logic of Android fanboys. At this point I'll pick iOS and Windows over Android any time.

I'm sorry, but what?

I bought my first gen iPad within a month of launch. In less than 2.5 years it was unsupported on the latest version of iOS.

When I updated my latest gen iPod touch to iOS 8.x, I ran into problems, had a few apps stop working, and generally found myself underwhelmed.

Apple does the exact same shit, and don't pretend they don't.

Basically manufacturers expect us to pay for a new device every year or two, and then quickly decree them to be off support.

So WTF should we pay full price for something they're going to abandon in a relatively short period of time for?

Sorry, but no. If you want to charge me $700 for a device, I expect you to support it longer than two years. Otherwise, I'm not buying your shit any more, because you somehow think of me as a revolving cash supply.

In this regards, I think both Android and iOS are sorely lacking.

So, screw the lot of them. Want these devices to be disposable? Sell them to us at discounted prices instead of your inflated prices. Or if you're going to charge us that much money, support it MUCH longer.

Two years support for a brand new device? Hell no.

Re:Makes sense.

[fustakrakich]

for PR's sake.

They don't need that anymore. And maybe the manufactures prefer that Google doesn't patch it. It relieves them of all liability.

Re:Makes sense.

[spacepimp]

Google can't push out updates to the handsets. The carriers by law mandated that only they can update and test the devices. You as a citizen and owner of the device cannot do this yourself either. But sure Google is at fault.

Re:Makes sense.

[DerekLyons]

As the grandparent said... I'll never understand the logic of Android fanboys.

It doesn't matter that someone else may or may not push the patch - it matters that Google categorically refuses to fix a flaw.

Re:Makes sense.

[ArcadeMan]

Would it be nice if Google could *FORCE* companies like AT&T, Verizon, T-Mobile and Sprint to upgrade the OS on the devices they sold? Hell yes, but that's not going to happen because then these big asshole companies wouldn't sell as much product if people got the latest features on aging handsets and tablets.

Works for iOS. Carriers cannot prevent the upgrade of devices that can be upgraded.

Re:Makes sense.

[ArcadeMan]

Apple wouldn't stop supporting devices that still count for 60% of their own statistics.

Re:Makes sense.

[Wycliffe]

I've been wondering when people would start to take notice of this problem with Android.

930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.

Re:Makes sense.

[c]

I hold Google accountable, as well as the handset manufacturers.

I believe Google's fix is called "Android 4.4" or "Android 5.x".

That the handset manufacturers can't seem to figure out how to get updates for older devices to newer versions of Android is the core of the problem. I mean, Cyanogenmod generally seems to be able to do it, largely using volunteer labour, so it can't be rocket science (for my handset, vendor support stopped around 4.1... there's a nightly 5.0 now available).

You could argue that Google should set an explicit support cutoff date for patches for older versions, but when the handset makers policy on end of life ranges from "until the average contract runs down" to "until the retail store's return period has passed", I'm not sure there's much point.

Re:Makes sense.

[MouseR]

My iPhone 4s is (release oct 2011) is still supported.

(Though I replaced it with a newer device, I still use it as an iTouch for various reasons).

Re:Makes sense.

[Flavianoep]

If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines. People like to joke about XP, but it was supported just a year ago and what was the latest version of your favorite Linux distro when XP first came out? Being secure without having to do major updates is a big selling point.

AFAIK, there's no point in "buying" Linux, however, you may buy a support subscription, which can be renewed indefinitely. Upgrading the system is free.

Re:Makes sense.

[Enry]

Google doesn't make the version of Android that goes out on e.g. Samsung phones. Google can patch 4.3 ll they want, but it's up to Samsung to take the patch, implement it, test it on all their devices, then get blessing from the various carriers to send it out. Given there's still people out there with S3s (and probably S2s) there's no chance they're going to put the effort into it and instead tell people to get the shiny new S5.

Re:Makes sense.

[ArsonSmith]

...in an outdated unsupported version.

Re:Makes sense.

[Enry]

Google doesn't need to fix it. There's Android developers at Samsung, LG, etc. that can fix it as well. There's no interest at any level to fix an old bug like that.

Re:Makes sense.

[macs4all]

iOS isn't really any better when it comes to patching old devices. Once the poor, poor, tech company responsible for deploying the OS in the first place decides to stop supporting it, you're SOL.

Are you stoned, or just stupid?

In stark contrast to the carrier-controlled paridigm of Android software deployment, Apple maintains sole control over the updating and deployment of iOS (and OS X), and although they do eventually draw the line somewhere, it is always at a point that affects single-digit percentages of the User Base, not the majority of Users as is the case here.

Apple would be positively pilloried in these pages if they tried something even remotely as irresponsible and high-handed as Google is doing (or rather not doing) in this case.

Re:Makes sense.

[ArcadeMan]

... that still accounts for 60% of Android devices.

Re:Makes sense.

[Enry]

Google wants market share. And they have it.

Re:Makes sense.

[colin_young]

It's not just the manufacturers. You'd better hope the carrier you got your phone from (at least in the US and Canada) hasn't got bored of it and moved on also.

Re:Makes sense.

[AmiMoJo]

Something isn't right here. Google can and does patch older versions of Android via the Play store app, which can patch the system. They can and have pushed patches to fix issues in this component before via that mechanism, and the original source (https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior) even mentions this.

What isn't mentioned is the nature of this exploit. Is it actually something that can 0wn your phone via a drive-by infection? Maybe Google doesn't consider it a serious enough issue to do a patch for. If it's just a crash with no security implication they might think it is better to not try and patch older code, at the risk of breaking something else.

Re:Makes sense.

[gstoddart]

And how many first gen iPads would still be in use if they hadn't been updated to the point of obsolescence? Because my first gen iPad gradually became slower and less useful, right up until Apple said "no longer supported".

I'm no longer willing to buy a device from either Apple or Google which is anywhere near bleeding edge or current release, there's nothing in it for me.

If they want to treat their tech as disposable, I'll oblige them -- I'll buy the oldest version of their product, and never apply an update to the fucking thing.

Planned obsolescence is great to the idiots in marketing. But it's complete crap for the consumer.

I wish I'd realize they were phasing out the iPod Classic, because since it wasn't running iOS it didn't need to worry about an OS upgrade making it useless. I'd have bought another one.

If the trend is to build over-priced toys which will only last two years, don't expect to sell me any of your new kit.

I'll just start to assume that the software will make the device obsolete long before the hardware dies. And I want no part of that.

Re:Makes sense.

[tysonedwards]

Technically, Google *did* fix the flaw, in later versions of Android. They just didn't backport said fix to 4.3.

However, as Manufacturers won't roll a new update off of said backport even if it did exist as they're incentivized to support phones that are under warranty and where possible sell new phones to customers, Carriers would drag their feet on approvals of said updates if they even authorized it at all as they're inclined to both avoid angry support calls from customers about "my phone is different" yet also sell new phones to get people under contract, money disappearing at all levels into the giant black hole of bureaucratic process, what does it really matter? It's a zero sum proposition.

Re:Makes sense.

[CastrTroy]

This is why I hate the Android model of updates. I don't have to wait for HP, Dell, Lenovo, and others for my desktop to get updated. There's no reason I should have to wait on Samsung, LG, HTC, or even worse AT&T or Verizon to get an update for my phone. If my phone is running Android OS, then I should be able to get updates straight from Google. I like Android in every other aspect except their update strategy. I am due for a new phone soon, and I really don't want to get screwed over (again) with a phone that doesn't get a single OS update after I buy it. I'm kind of leaning towards Windows Phone at this point. I could consider iOS, but their phones are much too expensive for my tastes.

Re:Makes sense.

[c]

In this regards, I think both Android and iOS are sorely lacking.

With Android at least there may be other providers for updates. It still sucks, but I'll take "sucks but possible" over "sucks and go fuck yourself" any day.

Re:Makes sense.

[aztracker1]

There's already a free fix.. Android 4.4.*, 5.0, 5.0.1 ...

Re:Makes sense.

[aztracker1]

The issue is that the platform doesn't have a common boot, and initialization system... also, said devices are often packaged with only the drivers for that device, specifically compiled for that version of the OS... now that things are maturing, Google should come out with some common driver interfaces so binary drivers can work across platform versions. This would make sense as Google is breaking portions of the OS into upgradable units.

Re: Makes sense.

[thetoadwarrior]

It feels like Google rigged things so they don't have to take responsibility for their mistakes. Of course it's consumers that get screwed not that Google cares since their real customers are advertisers.

Re:Makes sense.

[peppepz]

But Google continuously updates Google Play Services on my phone without me even noticing, let alone the carrier or the device manufacturer approve and test the changes.

In the same way, they could update the WebView as well (hadn't they put it into a read-only file system, digitally signed by the device manufacturer). It's a userspace component with no implications on the phone service or the radio baseband.

In fact, IIRC the WebView can be updated through the market in the newer versions of Android.

Re:Makes sense.

[Lumpy]

Not googles fault that device makers are too damned lazy to compile and deliver updated OS images to it's customers.

When is Microsoft going to patch those flaws in Windows XP!

Re: Makes sense.

[thetoadwarrior]

I had a G1 and that definitely quit receiving updates before the 2year contract ended. You'd think Google would try to forward the best image for their debut android device. I've got a friend who has a hard-on for android so he's always stuck with them despite his experiences on updates are similar. His argument is that he can root it which is correct but you should not need to root the thing just to get updates and the vast majority of people can't or won't do that.

Re: Makes sense.

[twitnutttt]

But at least there is the *possibility* of getting a patch if Google makes one. Without that, no chance!
That Google would unannouncedly end-of-life (EOL) a product with the majority of its Android market share makes me so mad!!

Re:Makes sense.

[aristotle-dude]

Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.

Hindsight is 20/20 but they could have copied the idea from Apple where a process would periodically check for vulnerabilities in the background. They could patch the vulnerable component through a google updater on the phone. I don't think most vulnerabilities would require a new ROM for the phone.

Re:Makes sense.

[aristotle-dude]

Google doesn't make the version of Android that goes out on e.g. Samsung phones. Google can patch 4.3 ll they want, but it's up to Samsung to take the patch, implement it, test it on all their devices, then get blessing from the various carriers to send it out. Given there's still people out there with S3s (and probably S2s) there's no chance they're going to put the effort into it and instead tell people to get the shiny new S5.

Should not matter. If they are patching the core, the core should be available for updating by google directly by alerting the user of a needed patch. The customization should not be touching the core of the OS.

Re:Makes sense.

MS supported bug fixes for XP for TWELVE years. Google has barely supported 18 months. There is absolutely no comparison. Use you're head and stop blindly worshiping Google and hating MS. I know it's hard to not be a complete idiot, but give it your best,.

Re:Makes sense.

[Immerman]

What percentage of Nexus devices are running 4.3 and can't be upgraded to 4.4 or later to get the fix?

Re:Makes sense.

[Enry]

That's what changed in 4.4. In 4.3 it was part of the OS is my understanding and required a new OS install.

Re: Makes sense.

[c]

This is a hit job from a shitty windows enthusiast website (neowin.net).

Do not click any links!

Relax. This is slashdot. Almost nobody reads the source article unless they need to grab a quote in order to prove a point.

Re:Makes sense.

[Wormsign]

XP is an excellent example. OS vendors aren't required to patch end-of-life versions of their OS. The real issue is Android, as a mobile OS, gets end-of-lifed far too soon because the carriers won't send out updates anyway.

Re:Makes sense.

[macs4all]

No, I think you're just trying desperately to paint Apple as better when in reality they're not. Call me stoned if you wish, but the reality is that Apple decides when to stop supporting devices, and when they want to push people onto more modern ones, they simply push an update that renders the old devices virtually unusable, because that lets them claim "support" while ignoring all the problems people run into post-update and just telling them to buy a new device. Google is no better, but with both companies the message is the same: upgrade your device, or fuck off. We don't care about the old ones anymore.

Sorry, but your Fandroid-ism is showing...

Occasionally, like once or twice, Apple has included devices in an Update that were possibly questionable. However, like with recent iOS 8.1.1 Update, which was created specifically to address iOS 8 performance and memory issues in older devices such as the iPhone 4s and iPad 2, efforts are made to ameliorate the bad-effects of the original 8.0 Upgrade on those devices. How successful those efforts were is another story; however, the point is, in utter derogation of your original theory, when Apple screws up, they do at least try to "make it right".

Re:Makes sense.

[Wormsign]

Google should not have given up total control over the OS when negotiating with hardware vendors and carriers, however, it's also possible Android would not have been a success if they'd been as tight-fisted as Apple.

Re:Makes sense.

Would it be nice if Google could *FORCE* companies like AT&T, Verizon, T-Mobile and Sprint to upgrade the OS on the devices they sold? Hell yes, but that's not going to happen because then these big asshole companies wouldn't sell as much product if people got the latest features on aging handsets and tablets.

Works for iOS. Carriers cannot prevent the upgrade of devices that can be upgraded.

Actually, they can, even when OTA upgrades are delivered via Wifi. But Apple has managed to contractually require them to let Apple control upgrades or they don't get to sell Apple's devices. Google does the same thing with Nexus devices. Google cannot, however, interfere in the relationships between OEMs (e.g. Samsung, LG, HTC, etc.) and carriers.

Google's challenge is that because Android is an open platform our ability to tell manufacturers what to do is sharply limited. Personally, I'd like to see them at least start publicly shaming OEMs who refuse to push important security patches.

What Google is doing is making things more modular and moving more security-sensitive components into services that are delivered through the Play store, so Google can update them when needed without waiting on OEMs.

Re:Makes sense.

[tlhIngan]

930 million phones might be enough. Now we just need someone to write a worm that uses this to get noticed by taking
down the cellular network for a few days and then maybe someone will get smart enough to require phone manufacturers
to push updates for a reasonable amount of time (say 5 years after they stop selling the phone).
I've seen phones stop receiving updates before their 2 year contract is even up. This should be breach of contract.

Well, technically, phones never got software updates - updates are a relatively new thing.

And really, the reason Google doesn't push OEMs to force software updates is because of AOSP. Samsung's a big offender, releasing anywhere from 2-3 new smartphones a week in 2014 (seriously, they released over 100 new phones last year), and over 1 tablet a week (yes, over 50 brand new tablets).

Granted, Samsung has more developers than Apple, Google and Microsoft combined, but you can bet terms like this would be the one that just moves OEMs to AOSP and undo all the work Google did. Hell, Samsung has replacement apps for every one of Google's (they're the only OEM to do so), so they're not dependent on Google's apps to sell phones.

And no, it's no surprise Samsung is also the largest Android manufacturer out there with a huge market share.

Re:Makes sense.

This sudden attempt by Google supporters to shift the responsibility is the lamest fucking excuse I've ever seen. Microsoft has supported XP FAR longer than Google has supported... well, anything. I also especially like how suddenly it's not Google's fault for NOT thinking ahead and making it possible to deploy security updates to their OS like certain other phone vendors did BEFORE Google made their competing OS.

Seriously, for all the bluster here that "it's not Google's fault!" this is 100% Google's fault. It's their security vulnerability, their inability to update many of the devices easily, and their desire to stop supporting something less than 3 years after it was made, despite it still being fully-functional. Since when has the geek crowd become so pathetic that we've bought into the planned obsolesce phase whole-heartedly, and started making excuses for the biggest tech firms on Earth?

Re:Makes sense.

[MSG]

If my phone is running Android OS, then I should be able to get updates straight from Google.

If that's what you want, then BUY A PHONE FROM GOOGLE.

Otherwise, you're expecting Google to provide the development and support for hardware they didn't sell. Your money goes to company X, but you expect Google to do the work? That's not how any economic system works. You made an exchange of money for goods with company X. Warranty, support, etc is their responsibility. They're the one that you're paying.

Re: Makes sense.

It is googles.fault for losing control of their OS to the point that they can't push core OS security patches. Who cares if they have moved to a diff version? When 60% of your user base has the old version and there are known security holes then you should patch them

Re:Makes sense.

[syzler]

When is Microsoft going to patch those flaws in Windows XP!

Hmm, Windows XP is over 13 years old and has been end of support for 5 years, and still released a security patch 7 months ago.

Android 4.3 was released 2 years ago. So the EOS was when? A few months after it was released?

Not that Windows XP and Android are great comparisons, but your jab does not exactly help Google's case. A better example would have been Apple iPhone 1 vs Android 4.3, but even Apple supported the first iPhone for 3 years before ending support.

Re:Makes sense.

[macs4all]

So, Google should update the older software, and then the users phones still wouldn't get patched because it actually has to be done by the manufacturers, and then approved by the service provider, neither of which want you to still be using your old phone.

As to Apple, well, they just make sure that all your devices have the newest version of iOS, which will always run like crap on the older phones, driving those upgrades to the new phones that come out a month after the upgrade...

Want your older version of iOS patched? Well all you have to do is upgrade to the latest version and kill your phone's performance. Don't want to do that, then Apple will gladly tell you that they don't support the older software anymore.

As I have said in another post to this article, Google could easily change their distribution model for Android to re-capture sole control over its Distribution, like Apple. But they won't; because they simply don't care; nor do they want to be bothered with testing a zillion different platforms.

And contrary to your tired, Fandroid meme, Apple does not "push" iOS updates to anyone; let alone do so for the purpose of "obsoleting" older models. First off, at this point, regardless of the hardware or software platform, anyone with a piece of equipment that is one the bottom-end of the "Upgrade-able" list who then jumps on an OS Update the very first day, sort of deserves what they get; and second, Apple occasionally releases an OS update that inadvertently degrades the performance of older hardware; but they also have a good track record, like with the recent iOS 8.1.1 update, of releasing further patches specifically designed to address those performance issues.

So no, the two situations are in no way equivalent..

Re:Makes sense.

[Immerman]

According to http://en.wikipedia.org/wiki/A... Android 4.3 is only responsible for 6.5% of devices, with 4.1 and 4.2 combined being responsible for 39.5% and 4.4 for 39.1%.

Of course that's based on a survey of devices that accessed the Google Play store during the first week of this year, so may not be entirely accurate. Still, it seems likely that 4.3 is a bit player, even if new devices are still available with it. I'd love to see Google backporting fixes, but I can understand it being a low priority. Besides which I'm willing to bet that precious few new devices are running *Google* Android, which means not only would Google have to backport the fixes, they'd also need to convince downstream distributors to port the fixes into their cut-rate custom Androd distros - which seems like an uphill battle. And it's not like the various distros couldn't.

Does any of that excuse Google, or the other Android distros? Of course not. But by this point perhaps I'm just so jaded about the customer-abusive behaviors of the various manufacturers that it doesn't surprise me at all. If you have good support, then you have probably already upgraded to 4.4.x. If not - well then you probably had the option to do due-diligence before your purchase and realize you were going to be screwed on updates anyway.

Re: Makes sense.

But they didn't. The summary is wrong (plain lying in the hope nobody checks). Its actually a tiny 6.5%.

Re:Makes sense.

[NatasRevol]

Good answer for the (hundreds of?) millions of phones that can't be updated; the genius of putting carriers in control of the OS & updates.

Re:Makes sense.

[NatasRevol]

Guess what?

Same problem.

http://en.wikipedia.org/wiki/G...

"Google has stated that the Galaxy Nexus will not receive Android 4.4 KitKat,[42] even after having 14,000 signatures requesting it."

Re:Makes sense.

[EvilSS]

If my phone is running Android OS, then I should be able to get updates straight from Google.

If that's what you want, then BUY A PHONE FROM GOOGLE.

You mean like my Google Galaxy Nexus that is stuck at 4.3 because Google abandoned it after 18 months, and therefore won't be getting this exploit patched?

Re:Makes sense.

[gstoddart]

So you'll never buy another piece of consumer grade electronics?

If it has a lifespan of 2 years? No, as a matter of fact. If the hardware failed after two years, I'd find a new vendor. If the software is obsolete after 2 years by design, I'm simply not playing.

My, TV, my DVD player, my amplifier, my car stereo, my GPS nav unit, my watch, my microwave, my stove ... all of these things I realistically expect to last at least 4-5 years. There is almost no digital device I will accept a 2 year life for unless it costs about $40.

If Google and Apple think I'll buy their stuff which is obsolete in two years ... they're wrong.

I'm old enough to not need to buy the latest shiniest bauble.

So, yes, if they think they can get away with a product which has a two year lifespan, then I won't be buying it. Especially not for full price. This is a rental model, and there's nothing in it for me.

Because I've never had any other kind of consumer electronics product where the manufacturers really thought they could get away with that kind of shit.

You want to buy it, go ahead. Me, I have other things I can spend my money on. It sure as hell won't be a tablet from Google or Apple.

Re:Makes sense.

[pushing-robot]

I know a few people like you, who always buy the lowest-end junk because "they'll have to upgrade it soon anyway". It's a self-fulfilling prophecy; they constantly curse their lousy crap and spend more throwing it away and replacing it every 18 months than I spend on decent gear that lasts 6-8 years.

But you should never buy first generation bleeding edge stuff either. The iPad 1G sucked, because mobile phone parts were very poor five years ago. It wasn't 'planned obsolescence', Apple didn't go out of their way to put inferior parts into it, they put in what existed at the time. Now that tablets are a 'thing' and chip designers are seriously targeting them, much better stuff exists-- the current iPad has 8 times the RAM and 10-20x the CPU performance of your model. Software designers would have to cripple their apps/sites to support both the latest hardware and yours, and you're not a big enough market for them to care.

On the other hand, if you'd just waited a bit and got the iPad 2, it would still be supported. Hell, it would still be *sold*, four years after its first release, in the form of the iPad Mini.

Re:Makes sense.

[SvnLyrBrto]

Thing is... Windows XP's lifespan wasn't short. It was unnaturally long for any OS that doesn't run on IBM big iron. It was absurdly long even my Microsoft's own development cycle.

Just look at what came right before XP from Microsoft. In the same 13 years that XP was around; everyone would previously have gone from Windows 3.1, to 95, to 95 OSR2, to 98, to 98 SE, to NT 4, to 2000, to ME, and then to XP. And even that's actually skipping a few versions that were especially craptacular or never really escaped from some very specialized use cases like 3.11, windows for workgroups, pre-4.0 versions of NT, and that bastard hybrid scheme of Windows running inside Novell Netware.

I may even be missing a few more versions there. I also didn't include the half-dozen service packs for NT 4; any one of which (But especially the odd-numbered ones.) was just as likely to break everything as a full OS upgrade. Plus a decent number of people still ran on various versions of MS-DOS for about half of that time frame.

So when I hear whining about the hassle of finally having to upgrade from XP, or about Linux vendors LTS being "only" five years, I really have to wonder just how the hell did these people manage before Microsoft went stagnant for a decade? Were all of the 1990s basically a solid, continuous, hissy-fit on the part of the world's MCSEs?

Sorry. But for all the other reasons I hate Microsoft, finally taking XP out back and shooting it just isn't one of them. It was one of MS's GOOD moves. And it was long overdue.

Re: Makes sense.

[Rich0]

I had a G1 and that definitely quit receiving updates before the 2year contract ended.

The G1 and ADP stopped receiving updates before they even stopped selling them. They didn't even get Eclair (officially), despite the ADP being the official Google developer phone up until the Nexus One came out. Fortunately none of the Nexus devices suffered that fate, though many were only supported for 1.5 years.

Re: Makes sense.

[danbob999]

The patch exists. It's called Android 4.4.

Re:Makes sense.

[Plumpaquatsch]

Something isn't right here. Google can and does patch older versions of Android via the Play store app, which can patch the system.

That only can patch APIs, not anything in the kernel. The only thing not right here is your Fandroidish "Google can do no wrong".

Re:Makes sense.

[unixisc]

I thought that that changed in 5.0 - Lollipop - the thing people were creaming here on /. a few days ago

Re: Makes sense.

[AuMatar]

Which has very significant changes to how external storage, SMS, and several other features are handled that break a significant number of applications. 4.4 was not a minor release.

Re:Makes sense.

[TopherC]

I agree this article is mostly foolishness, but underneath this is a substantial issue with Android. It would be much easier for a provider to push a security patch if it were backported from the latest-greatest release to some of the still-active prior releases. Even then there would be a substantial time delay. The manufacturers do some initial porting of newer Android releases to their hardware, and then the providers take that software and customize it further. Most of what the providers add is best described as bloatware (and some spyware like carrierID), but some of this is network-specific support. Lots of testing happens at each stage, especially by the manufacturer.

Porting to a new Android platform actually requires a lot of additional work as often the hardware interfaces (HAL) are modified and expanded. In addition each manufacturer has a highly customized version of Android at various levels, and porting all of this takes significant effort.

Because of all this, there is no quick way for Google to "release" a patch to people's phones (except for the Nexus phones). Google could help to hurry some security patches by backporting them, but manufacturers could also do the same. It is not, technically, Google's job to do anything but support their Nexus line. They also keep most of the platform code open (publicly available anyway), allowing other manufacturers to follow along or do as they please. And because porting does require such effort, Google also needs to continue to find ways to provoke the major manufacturers into keeping up the work.

This model for Android platform software has been successful, but is obviously flawed when it comes to distributing prompt security patches to users' devices. It's easy to gripe about this but difficult to come up with practical solutions.

Re:Makes sense.

[PincushionMan]

No, not with encrypted-locked bootloaders becoming common. For Verizon starting with the Samsung Galaxy S3 and phones after that era, and AT&T with the Samsung Galaxy S4 and other phones, you will have tough time putting anything other than what the carrier supports. You may get lucky and be able to break it, but it takes a lot longer. If there are unlocked bootloaders available, you may be able take matters into your own hands, but it is quite risky.

Also, when you buy a phone locked to a carrier, you may not be getting what's advertised elsewhere. iPhones are universal, Android, not so much. The AT&T Galaxy S3 (i747) was completely different than the international S3 (i9300). Some things were better - more RAM (2GB vs 1GB), slightly faster processor (1.5 GHz vs 1.4GHz), and faster cellular data (4G LTE vs 3G). Others things weren't so good - dual core instead of quad core (Snapdragon S4+ 'Krait' vs ARM Cortex-A9), weaker graphics processor (Adreno 225 vs ARM Mali 400), less storage (16GB vs 32GB), and a lot less battery time. And a broken GPS, if you upgrade to KitKat - even on stock. I wouldn't recommend buying a locked carrier phone (other than an iPhone) for anyone.

Re:Makes sense.

[unixisc]

But you cannot update the OS via the play store - one has to go into settings and go from there. So while they may have a newer version of the OS, fact remains that phones or tablets w/ the previous version cannot be upgraded to the new one, unless one is technical enough to know how to root the device and go from there. It's true that they've supposedly improved things in Lollipop, but for now, people on Honeycomb, Icecream Sandwich or Jellybean are SOL. There should be a way to get it from Google even if the hardware manufacturers don't do squat.

Also, I can imagine hardware manufacturers being responsible for the device drivers and other things to exploit things like camera features, or the touch screen. Why would they be responsible for anything else in the OS that makes it either difficult to upgrade, or incompatible w/ the upstream OS? People (in the US) are usually tied to a 2 year contract, and only after that can they upgrade for free w/ a new 2 year contract or something. So why make it difficult to upgrade phones that people won't be able to trade in for a while anyway?

Re: Makes sense.

[Solandri]

That was my impression too just from reading the summary title. Google only "threw Microsoft under the bus" if Microsoft was standing in the middle of the street, Google told them for 3 months that they were standing in the middle of the street and they should get back on the sidewalk, then on the 91st day they told the public that hey this guy is standing in the middle of the street please try to drive around him, then a bus came and hit him and you somehow consider it to be Google's fault.

Re: Makes sense.

Google can't patch most Android phones at the OS level., other than Nexus. Putting cyanogen to one side, anything else either needs the phone manufacturer, or the manufacturer & the carrier.

The vast majority of Android phones sold are sold via carriers , at subsidized pricing, and come with a carrier specific build of the phone vendors Android distribution. The phone vendor can't patch these devices on their own, the carrier needs to be involved.

That's why it takes so long for Android patches to actually get onto phones via these channels - Google might fix something, but the rest of the process could take 6-18 months from when Google ships, if it ever happens.

Re: Makes sense.

[JDeane]

Well sort of both actually,

The people who made the phone need to make the updates, the carrier needs to push the update out on it's network for the phones.

In super rare cases you can download the update yourself and install it, but most of the time if your carrier doesn't push out the update your stuck.

Cynogen mod and other things like it are more likely to do updates for your device depending on what it is.

http://www.cyanogenmod.org/

Re:Makes sense.

[SiChemist]

Android 4.3 is on 6.5% of android devices.

Re: Makes sense.

[RavenLrD20k]

Ok..so who made the phone? Samsung? LG? HTC? Or were you lucky enough to get a Google Nexus device?

Who sold it to you? Verizon? T-Mobile? AT&T? Sprint?

Oh..did you go to a box retailer to get your phone like RadioShack, BestBuy, or Walmart? Guess what, you still bought your phone from Verizon, T-Mobile, AT&T or Sprint (US centric). The box retailers only get authorization to sell the devices from the Carriers and beyond a "service plan" for replacing the phone when it's broken, have no obligation for OS support. If a box store sells a phone in a manner against the contract agreement the store has with the carrier, even if the end purchaser keeps the phone and maintains good standing on contract he signed in the store, the carrier will bill the store for the full price of the phone that was sold "improperly" and a negation of whatever subsidies the Carrier promised the store for said phone/activation in a procedure called "Charge-backs." I know that at least with Sprint, these Charge-Backs will occur if the end purchaser winds up canceling his contract within 6 months.

The Carriers get and give authorization from/for the device manufacturers to build phones for them (it's a contract negotiation back and forth). Google pushes out an update to the Manufacturers who have to make the drivers for the update to work with their hardware, then the Manufacturers submit the updated OS to the Carrier, and from there it's up to the Carriers to decide (historically: ignore) whether or not the update gets pushed to the end devices.

At least this is how it was until KitKat (4.4). With KitKat Google took back a significant amount of control over how OS updates get pushed out by putting most of the core OS functionality into the GooglePlayServices.apk. Now the only time Google needs to submit an update to a carrier is if there's a major patch issue that needs to be addressed between the operating system and the hardware. All other operating system and security upgrades are pushed through the Play Store from here on, bypassing the Manufacturer and Carrier update process altogether. They did this simply because Fragmentation was becoming such a big problem and Google wanted to get a handle on it. Knowing this...why would Google want to try to push an update out to an OS that they have so little control over compared to the current versions, especially considering that it's more than likely the update wouldn't even be pushed out to the end devices? Fortunately or Unfortunately, the other side of this is that KitKat has become the rut for Google that XP was for Microsoft, and it may be a couple OS versions still before people move from KitKat to the new shiny.

Re:Makes sense.

[gizmo2199]

Ironically, with Android, Google made the same compromise that Microsoft made with Windows, that is make the core OS, but outsource hardware to a million different OEMs, in order to get your software running on a greater ecosystem of machines, unlike the Apple model of controlling both the hardware, and the software, as is the case with Macs and iPhone.

Except, now Google has run into the same issues Microsoft ran into with Windows, namely now they have to either a) support a million different hardware configurations, or b) drop support for "legacy" hardware with every new version of their OS.

Except of course there's a third party involved, the telecomm companies that are responsible for providing OTA updates at their whim, whereas Microsoft never had that problem. If anything, they dictated the upgrade schedule for OEMs, leading to the infamous $2,100 email machine.

So Android is a real conundrum, on the hand, it's open source, but on the other, very few phones actually get the latest release installed, and that's if the telecomms don't cripple the software by installing crapware on it. And there's just enough closed-source binary blobs on the phones that you can't really install your own version either.

My advice, get a nexus, or don't get an android phone.

Re: Makes sense.

[amicusNYCL]

Check your math. The flaw exists in Android 4.3 and older. 4.4 has 39.1% share, and whatever version number version L is has 0.1%. The remainder is 4.3 and older.

Re: Makes sense.

[twitnutttt]

Or rather, they have no incentive to push software updates, so people will have a greater incentive to buy a new phone, even if, as we can see, old versions of Android have plenty of security vulnerabilities.

Yeah but, as if a security vulnerability is going to lead the average Android-toting club kid or soccer mom to go buy a new phone. How many people even know what a security vulnerability is or that their phones *can* have them, let alone find out when a new one is discovered and they should go buy a new phone (if that's the solution)? OTA updates are supposed to be "pushed" so people just click some "OK" button they don't understand.

Re: Makes sense.

[twitnutttt]

4.4 is not a "patch." That's a major release that some large proportion of the hardware out there will never receive support for!
Not the same thing.

Re: Makes sense.

[unixisc]

That's b'cos the architecture of the 2 are completely different. Windows Phone 7.x is based on Windows CE, while 8.x is based on Windows NT. So one can't expect to upgrade from a Windows Phone 7 to a Windows Phone 8 on the same phone.

Re:Makes sense.

[mjwx]

But Google continuously updates Google Play Services on my phone without me even noticing, let alone the carrier or the device manufacturer approve and test the changes.

This is because Google uncoupled Google Play services from the OS. It is essentially an application on your phone now. Vanilla (AOSP) Android does not come with Google Play services.

Google did this a few years ago precisely because carriers were not updating the OS and they had absolutely no means to force carriers to do so even when critical bugs in the Android Market (what Google Play was called back then) were fixed.

Becuause carriers have legally tied their hands, Google worked to uncouple all their applications from the OS, not just Google Play but Gmail, Browser/Chrome and so forth.

Re:Makes sense.

[Grishnakh]

I've been wondering when people would start to take notice of this problem with Android. There is no general policy of security backports on it at all.

If you want to see big companies taking linux seriously vendors need to start matching Windows support timelines.

Wrong.

Android is not Linux. Android being mismanaged has nothing to do with Linux versions such as Red Hat, Ubuntu, Arch, Debian, etc.

Anyway, no one really cares that much about desktop and server Linux distros having support for that long because it's easy to simply update the OS to a newer version periodically: it doesn't cost anything, and it doesn't usually break anything either (unlike Windows where changing from, say, XP to 7 will break all kinds of things because there's so many fundamental changes in the OS).

Re: Makes sense.

[RavenLrD20k]

I did some research into your OnePlus One and it's apples and oranges to the discussion here. The OnePlus One doesn't even use Google's Production Android; it uses CyanogenMod. CyanogenMod is not maintained by Google in any shape or form beyond the base source of AOSP. AOSP is open to whatever developer wants to take the source and morph it into something that fits their need. This is what Cyanogen does. They take the code from AOSP, customize it and patch it their way, then puts that out. If OnePlus went with the official Google releases of Android, then they would have the same power of deciding on which patches to push as any other manufacturer. Face it, the OnePlus fills a niche market that the majority couldn't care less about. The masses don't want a developer phone... they want one that works and they don't have to mess with constantly. That said, I probably wouldn't mind having one myself as yet another cheap computer thing to tinker with (along side my DigiLand Tab, Retired Galaxy S3, Retired ZTE Vital, Retired Samsung Infuse, 2 Retired LG Optimus Vs (Optimi?), multiple Arduino Boards, and 3 BeagleBone Blacks).

Don't be Evil

Or if you do, divert attention by saying Microsoft did it first

Re:Don't be Evil

[kthreadd]

The hardware provider should push Android 5.0, not update legacy releases.

Doesn't really matter if they do patch it

[oobayly]

Even if Google were to patch 4.3, it's unlikely that it would ever hit anyone's device as the manufacturers are so shit at pushing out updates. Not that this is a defence for not patching it - Jelly Bean was only released 2.5 years ago.

And it's not just some manufacturers, Google is just as guilty - my [2013] Nexus 7 asked me whether I wanted to upgrade to Lollipop, I was busy at the time, so I hit no. Now I can't get the thing see that there *is* a new version - 5.0.2 was released 3 weeks ago, and it still says "Your system is up to date". Like fuck it is.

Re:Doesn't really matter if they do patch it

[ZosX]

As an unhappy lollipop user on a 2013 nexus 7 all I can say is don't bother. My free ram has dropped from 1gb to 400mb. I can't even keep two tabs of chrome in ram now. I'm seriously considering downgrading unless google gets this release right. Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.

Re:Doesn't really matter if they do patch it

[tobiasly]

Furthermore we are up to version 5 of android and there is still no way to push security updates? That's a pretty serious fail IMO. Google might want to rethink that strategy before it seriously burns them in the long run.

They have rethought that strategy, and the solution is Google Play Services. All of the critical functionality has been moved there, which they can update via the Google Play store. Most of the individual apps have moved to independently-updatable Google Play apps as well. The WebKit based library discussed here has been replaced by a Chrome-based version, which also receives regular updates.

And yes, all devices Gingerbread (2.3) and above get these updates. The problem is that the WebView is one of the remaining pieces that was still tied directly to the OS in those earlier versions, so it can't be updated directly.

I'm not excusing Google for not fixing it here, but saying that version 5 still has no way to push security updates directly is incorrect.

Re:Doesn't really matter if they do patch it

[bmajik]

The problem is that the WebView is one of the remaining pieces that was still tied directly to the OS in those earlier versions, so it can't be updated directly

Wait. It sounds likes you're saying that on older versions of Android, the Browser Rendering Engine is part of the OS?

This sounds familiar. I think a very large software company has made a claim like this before... it was somewhere around 15 to 20 years ago...

Re:Doesn't really matter if they do patch it

[Rich0]

And then when google moves more stuff from the base system to play services, everyone is crying bloody murder for taking stuff away from AOSP and not open sourcing anything.
There is no winning, is there

Well, nothing prevents Google from open-sourcing that stuff all the same, or splitting Google Play Services into a component that actually pertains to Google Play and another to core OS functionality and open-sourcing the latter.

Google's official support policy

1- You can go buy a new Android phone; or
2- You can go fuck yourself.

They gave MS 90 days

I don't believe for a moment that MS were working flat-out on the patch for 90 days - it's more likely that they left it until the last minute, and then assumed that Google would make a special exception for them.

Sorry Microsoft, the deadline is the same for everyone.

Google doesn't support old versions?

[nine-times]

Google is saying that they will not patch the flaw. Google's only reasoning seems to be that they are not fixing vulnerabilities in 4.3 (introduced in June 2012) anymore, as they have moved focus to newer releases.

To me, this only really seems like a valid position if vendors allowed people to upgrade at will, but as far as I know, Android users are still held to whichever version their carrier/manufacturer allow. June 2012 is only 2.5 years ago, which means (I'm guessing) that it's possible you purchased a phone less than 2 years ago that had this version of the OS. That means, you could have purchased your phone brand new, it might still be under contract, and it's unsupported.

Now, if you're free to install the latest version on your phone, then it seems much more reasonable.

Re:Google doesn't support old versions?

[C.+Mattix]

Exactly. Google seems to act like their Android ecosystem vs. iOS ecosystem is analogous to the PC vs. Mac world of the 90s/00s. To some point it is, however, with PCs, the customer actually OWNED their device. They could install, repair, reinstall, update, whatever they would like, Now with carriers dictating what you are "allowed" to do with your hardware that entire philosophy is broken. For example, I had a Sony Xperia phone. Sony actually did provide updates to the Android version that could be installed and ran on the hardware. However, ATT decided that they didn't like that and prevented it from being deployed so I had to be stuck with the "old" firmware.

I shudder to think about what the technology world would be like now if the current "mobile device" business model was applied to the general PC market in the 90s.

Microsoft over Google any day.

The MS of the '90s, harangued endlessly by a shockingly left-wing government (by today's standards), ended up being put in its place not by regulation but by competition. But even back then, as it dominated the desktop and the browser, it showed high respect for client privacy and control. Google's monopolistic behaviour knows no bounds. I'd take MS any day.

In my 30 years in IT, the difference I've found between MS and [insert any other brand] is that nobody loves MS - there is no religion as there has been around Apple, or Linux, or Google. They're practical businesspeople, who sometimes show excessive greed and stupid short-sightedness, but are always judged on their merits - people will abandon them as quick as they'll choose them, if they turn bad. And that's a good thing. It keeps them on their toes. Ballmer was a dick in the works for a while, but he's been kicked out, because everyone said exactly what they thought - there weren't hordes of fanboys(*) telling the world how wonderful the Start Screen is.

(*) Paid exceptions exist, such as Paul Thurrott. But nothing like him exists in the userbase.

Re:Microsoft over Google any day.

[Impy+the+Impiuos+Imp]

Microsoft learned to placate government officials by donating to them. They sought power so they could gin up memes like "anti-competitive behavior" and sic true believers AKA their meme enforcement cogs, until the politicians git paid to get back out of the way.

Now, having placated the US federal government, most state governments, and most individual EU countries, they must now focus on placating the EU parliament AKA European Federal Government, whose politicians now are wondering why they, too, can't get a piece of the pie.

Android is not Chrome.

[pla]

First, I consider myself a fan of the Googlesphere. I love Android, love Chrome, love GMail, enjoy the availability of their online Apps, and so on. (Hate hate hate Google+, though).

And saying that - Google needs to come to terms with the fact that they can't get away with the same bullshit update cycle for an OS installed on physical hardware, as they do with Chrome. For a desktop browser, weekly updates with support ending more-or-less after a year counts as an annoyance, but not a deal-killer. For an OS, just "no". My last phone lasted a decade - Support your devices (at least for critical vulnerability patches) for at least that long, or GTFO of the playground.

Re:Android is not Chrome.

[Shakrai]

(Hate hate hate Google+, though).

Why? I love G+ when compared against the competition; better software, a slicker interface, higher signal to noise ratio, it's better than Facebook in every metric except for the minor little detail that hardly anybody uses it. I was hoping that they would mount a serious challenge to FB but it seems unlikely that is going to happen, barring some huge mistake on FB that alienates a critical mass of people.

Re:Android is not Chrome.

[pla]

In fairness, I loathe FaceBook as well.

Key difference, though, Facebook doesn't nag me to join every time I check my email or calendar or pull something off my Drive. No doubt, they would if they offered any other services I had an interest in using without using FB itself; but since they don't, that doesn't really apply.

The truth of the matter

[JonathanP.Bennett]

The original article doesn't give any details as to what this "exploit" is in android. Even if it is a real exploit, no new phones will be made with Android 4.3, and at this point, no manufacturer would push an update to an old device even if Google did fix it. As to Google throwing Microsoft under the bus, that is utter crap. Google privately disclosed a vulnerability to MS, and *TOLD THEM* they had 90 days. After 90 days, Google publicly released the vulnerability. This is standard stuff. Giving a deadline is the only way to keep vulnerabilities out of the NSA toolkit and force MS to actually fix it.

Re:The truth of the matter

[Angua]

Google made the 90 day deadline up, sure. But they are enforcing it, which I think is pretty cool. MS wanted them to wait two days. TWO DAYS. Which says to me they were testing the waters. No way those two days were actually crucial for MS. If you can finish the job in 92 days, you can finish it in 90 days (especially when you have the resources MS has). They were simply finding out if Google would bend their 90 day rule. Next time, it would be a week. The time after, it would be a month. Until they could and would just ignore it. Since Google stuck to their guns, MS has to resort to the tactic of making Google out to be the bad guy. Which, to be fair, they kind of are. MS doesn't like to be bossed around any more than anyone else. But to me, this is the type of pressure which is on the whole beneficial to the users in the long run.

Re:Yet another Google fan boy

[poetmatt]

Please keep writing your Neowin articles, as they provide us countless entertainment based on conjecture.

930 MILLION devices vulnerable

[scottbomb]

It would seem to me that they have a responsibility to support the versions that are in use by the majority of their customers. This whole idea that 2.5-year-old software is "ancient" is a load of BS. Imagine the outcry if Microsoft quit supporting each version of Windows after such a short time.

Re:930 MILLION devices vulnerable

[Enry]

For cell phones that have an average life of 2-3 years?

You can still buy new phones with 2.3

[sirwired]

You can still buy fresh-from-the-factory phones that run nothing better than Gingerbread. (2.3) Halting updates on anything but KitKat and above is incredibly blinkered.

That said, Google really needs a better way of deploying updates other than patching the main tree and depending on their device vendors/carriers to eventually issue an update.

Android support is a long term Clusterfuck

[Virtucon]

I write software for Android and what bothers me is that there's always this push for latest and greatest while we still have a significant number of devices getting left out in the cold because they're 2 or more years old. Android is a three legged stool, Google, Device Manufacturers and Carriers and all three have to get their shit together on patch management and routine updates to the devices. All of them share equally in this problem yet they just seem to be aligned to always force you to buy a new device to get what most would be consider reasonable software support. That's bullshit. Sure Google, we get it you want everybody to be on the latest and greatest and yes there are features that can't be supported with every new release however there's that sticky little thing called time to market and while you may come out with a new release, the uptake by your licensed manufacturers isn't that fast. 4.3 didn't become available widely in devices until late 2012 which is just in time for Christmas so that makes 4.3 only 2 years old basically in terms of market exposure. That's young for a smart phone. I also get it if HTC or Samsung or Vendor X out there don't want to support software in order to entice you to buy a new device, but at $600 to $800 for a high end smart phone you're not going to see the majority of your customers buy a new one every year just to keep up with the latest version of Android. That's born out by the 1 Billion devices on 4.3 which is a pretty large market. Oh and to you carriers, your bloatware and other crap isn't helping either. If you're not willing to support it for at least the life expectancy of the device, which can be up to 5 years now, then get it off of there so you can at least improve your release time frequency so that your customers aren't left with insecure devices. Google needs to take the lead here and work with the downstream manufacturers and carriers to fix this shit because it's becoming a nuisance for the development community and for the end users.

False sense of security

[Dishwasha]

I'm sorry, but are people actually under the impression that their phones are secure?

Problem with Apple, Microsoft, Google, etc...

[pubwvj]

This same problem is happening with legacy software all over the place be it from Google, Microsoft, Apple or other vendors. There are billions (YES! 1,000,000,000's) of devices out there that work just fine but can't use the latest operating system from the vendors so they aren't getting patched. This creates BILLIONS of opportunities for hackers, worms, trojans, scammers, etc all because the vendors are greedy and don't want to keep supporting hardware and software that is only a few years old.

They should be offering legacy support out at least a decade. It is very doable with conditional compilations to build the latest operating systems for the older hardware of even 15 years ago. It simply won't have some features like transparent windows and other eye candy. The software should gracefully fall back to fit the hardware. This is doable at the compile time which avoids having overly large software packages.

Re:Separate component in Lollipop

[macs4all]

No one is going to push out a 4.3 OS update even if Google provides one.

You realize, of course, that with the stroke of a key, Google could change their deployment terms and take full control over Android's deployment to end-users, just like Apple does with iOS.

If the Android user-base is as large as the Fandroids say (or even close to that), then not one hardware vendor nor carrier would dare to kiss-off Android if Google changed its terms regarding deployment to something similar to what Apple does.

Fact is, Google simply doesn't care about anything but ad impressions. Anything else is as the buzzing of flies. That's why it will never change Android to a more "consumer-friendly" distribution model.

Never.

Re:Yet another Google fan boy

[Ravaldy]

It's funny how people are willing to trade hundreds of evil companies (Bell, Verizon, AT&T, MS, Apple...) for one greater evil (Google). For those who do not understand what is happening, Google owns the future of marketing. The places to advertise your product effectively are becoming more and more scarce. TV providers can see their market shrink year after year and this is partially due to PVRs and the availability of content via stream. This is also why sports distribution has become a hot commodity with the NHL contract for Canada going to Rogers for 5.2 billion (12 year contract). Nobody PVRs a hockey or football game but an episode of walking dead or game of throne is fine for watching later.

Google looks good because they give everything for free in exchange for your time (advertising). Anybody that can milk that model is bound to eradicate the competition. After all, who can compete with free. As of today Google owns 88% of the worlds searches with Bing right behind at 4.5% ;)

Don't take me wrong, I love Google's products but I fear them as much as I love them.

Re:User-controlled updates?

[Kultiras]

Windows Phone allows user-controlled updates. *ducks the multitude of flying Android handsets*

Well, let the free market work!

[frank_adrian314159]

If you're pissed off at Google for not fixing defects in older versions of Android, you can always switch to an iPhone or a Microsoft Windows phone. Why are you folks always whining about corporate decisions that make financial sense? Unless, of course, you're willing to something and make those "financial decisions" hurt the corporation involved.

Don't like how Google won't fix bugs? Don't buy an Android next time.

Unless you also want to say that the free market doesn't fix everything. There's a reason for various regulations concerning warranty and support regulations. Especially for vital telecom infrastructure.

Re:Yet another Google fan boy

You wouldn't have this problem if you were a MyCleanPC.com user.

Re:Agree

[lgw]

I think my Android phone is running 2.2? Whatever the first version that you could get on non-Google hardware was. What is this "patching" of which you speak?

No, it doesn't!!!

[unixisc]

Even if they patched it for 4.3, there is approximately zero chance that it would be pushed out as an update by anyone.

The proper solution to this is for Google to be listed as a source for updates, in addition to the OEM and/or carrier. That way, people who are looking for updates can get it.

Not patching Android 4.3 is not a valid reason. Unlike Windows XP which was upgradable to Windows 7 and beyond (even if it required hardware upgrades), that's not so easily done w/ Android hardware. I have an Ellipsis w/ 4.2.2, which I'd love to upgrade to Kitkat or Lollipop, but can't. Nor can I upgrade the internals of that tablet (RAM, storage) so if Google suddenly says that they won't update the OS, I'm screwed. I know there is a big inertia in the market as a result of there being 3 potential sources of software - Google (or Microsoft in case of Windows Phones), the OEM and the carriers. But everybody tossing the ball to each other just leaves a sour experience for customers.

I know no organization wants to maintain 3 or more versions of anything. But that's not a valid reason to expect people to discard phones or tablets bought within the last 3 years. The tablet I'm describing is something I got last May, so I shouldn't have to discard it just b'cos its OS is not being patched and it can't run the latest version that is being patched!

I love a good Google hate thread...

[clonehappy]

...as much as the next guy. But honestly, are there still nerds in 2015 who don't understand how the Android model works? Think of Android as "Linux". Each manufacturer has their own distro of Android, and then there's the "reference" distro, made by Google, that is on Nexus devices called "Stock Android". All the distros are based on the "Stock Android" distro, and the manufacturers customize and add on from there.

So, blaming Google for a flaw in a previous version of Android is like blaming "Linux" for a security flaw in a previous version of Ubuntu. See how much sense that makes? All Ubuntu has to do is use a more recent kernel/library/whatever that doesn't contain the flaw and release an update or new version. The same thing goes for Android, all the handset manufacturers have to do is release an update that contains the fix, and their problems are solved. A current build of "Stock Android" already contains the fix, your manufacturer's outdated distro, however, doesn't.

There are plenty of things we can legitimately blame on Google, but blaming the flaws of handset manufacturers and cellular carriers on Google doesn't help anything. Put pressure on your carriers and manufacturers to stop dragging their feet and support their products beyond the next fiscal quarter or two!