Slashdot Mirror
Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3
MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.
The explanation I read elsewhere (RTFA quotes from different interview) sounds alot like the excuse of some incompetent developers: use trunk or it is not my problem!
If they had developed a small patch for the problem, I'm pretty sure OEMs wouldn't have a problem pushing it to the users.
But it seems they can't because as all developers working exclusively in the trunk, they have rewrote everything already several times, and looking at the old stuff is... wew! It's old! It's absolutely horrible! Use snapshot from the trunk!! We fixed everything!! It's all better!! We promise!! Honestly!!
All hope abandon ye who enter here.
By being control-freak monopolists.
No, blame for this is on Google, because Android is designed as a firmware but marketed as an operating system. An operating system would get updates without requiring a complete wipe and reinstallation. Android has a huge attack surface and still completely lacks ways to fix bugs except by abandoning entire "OS" versions.
Exactly. I wouldn't blame Google for this, the problem lies with the carriers not upgrading their fleet of phones. Android is now 3 major version releases past 4.3. Would you really expect Microsoft to continue to support Windows XP anymore? They don't, unless business is willing to shell out big bucks for added support.
Carriers should really be to blame.
Two key differences. First, XP came out in 2001. Second, XP support ended last year. But to be fair, I'd be happy if Google would support their OS for even half that long. So, where is that support for Android 1.1?
Realistically, support should last at least as long as the longest contract in the countries their product is used in. If you went with the standard of a 3-year contract (I think there are 4-year contracts, but I'm certain my carrier has 3-year contracts), that would still leave the later releases of Ice Cream Sandwich (4.0) under support. Face it, their Android OS support is abysmal.
Sure I'm paranoid, but am I paranoid enough?
I have a Google Nexus. 4.3 is the last version supporting my phone. The phone does everything I need it to, so I don't want to waste money on a newer one. I think this is a blatant attempt to force people to buy newer phones. All their craplets get updated, but not the Android OS.
ok, so why didn't google do things the way apple did them? the precedent was already set. I'll tell you why - they wanted market share, not a good (and safe) user experience. For google, users are the product.
The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part.
4.4 changed WebView and that broke a number of apps.
And not simply broke. Google has removed sizable chunk of WebView functionality because it is not really WebView anymore, it is small Chrome browser window and the features everybody was relying upon where never part of Chrome and as such... tough luck.
To the company with the resources of Google, lame excuses like that are just unacceptable.
All hope abandon ye who enter here.
It would be a major improvement if Android products were supported for even 2 year contract periods.
Google should require manufacturers to provide all Android updates for 2 years minimum and 2 minor versions minimum, and security updates for those minor versions for 4 years minimum.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
Apple released a security patch for iOS 6 when that SSL vulnerability was found. It was a deprecated OS running on a MINORITY of Apple phones and they issued an update anyway. (http://support.apple.com/en-ca/HT202920)
Why are so many people excited to give Google a pass over this? Support your customers or don't, but be up front about how long they're going to get to see updates. If you're going to drop security support after 18 months, at least let everyone know so they can make an informed decision.
Largely because everyone with a clue knows that 99.999% of devices still running Android 4.3.x which haven't been upgraded to 4.4.x have approximately 0.00000 probability of being updated to 4.3.(x+1) even if Google were to make a patch available.
Whether they "support" 4.3 for two days, two years or two decades at this point is largely irrelevant. If you have no means to get a patch to the people affected by the problem and you're going to get criticized irrespective of whether or not you try, then why waste the resources?
And it's pretty darn obvious from what Google's been doing in the last few years that this is not a situation that Google is happy with, nor is it a situation they could reasonably do much more about.
Log in or piss off.
You're off by an order of magnitude.
Samsung, in 2014, released about 3 smartphones per week. Yes, they have over 150 smartphones released in 2014. Tablet wise, I think it was over 1 tablet a week (it was over 50 around October).
It seems a lot of Android manufacturers see Android more as a "fire and forget" style of releases - just get a version of Android, stick it on, sell it, move on.
I mean, supporting 200 brand new Android devices (ignoring 2013 releases and prior) ...
The updates are NOT free. Android is NOT free.
You have to PAY to get access to Android source code. You pay more if you want the newer versions. You have to agree to shit like bundling Google's apps and store (which now also cost money separate from Android itself) or guaranteeing a "flagship" phone launch with expected sales of X within a certain time frame if you want access to the latest builds.
Even if Android was actually free, there are plenty of costs associated with pushing out an update. You've got to make sure the new version runs on the old devices (it won't). Then you've got to do QA. Then you've got to push the update out to the carriers. Then the carriers have to do their own validating. Then the carriers have to push it out.
Then people have to accept the update.
Google is the pot calling the granite counter top of Microsoft black.
Except that google isn't charging for their new software.
Yes they fucking are. Android is not free. Android is not open source. AOSP is not Android.
If you are an OEM and you want the latest version of Android you pay money and agree to bundle Google's apps and store (which cost more money) into a "flagship" phone that will launch within a certain time frame and is expected to sell some minimum number of units and will be heavily advertised as running Android X.Y Whatever Candy.
" a smartphone is just a shrunk down PC/laptop."
No. It isn't. Seriously. PC/Laptop CPUs are all either x86 or i64 (mostly i64) compatible and standardized. The various modified ARM versions in mobiles are not. ARM tech is licensed and various core manufacturers make their own changes - but also, there are ARM4, ARM5, ARM6, ARM7, and ARM8 based CPUs out there with incompatible binaries. MS and Apple just compile once and go (Though Apple compiles for A5, etc for tablets and MS compiles for 32 bit and 64 bit)- but you have to compile for each architecture for various devices running Android. In fact, it's smarter for the manufacturer to compile it specifically for the configuration they created - as well as enabling/disabling features to optimize memory, speed, etc. Manufacturers also may have to recompile any other binaries/drivers to inter-operate with the updated code.
Also, MS and Apple have standardized OSes. Android is not - it's a base for the manufacturers and carriers to modify. Because it's modified, it's up to the manufacturer who made the modifications to update the systems to be compatible. It simply is not possible for Google to maintain a list of all manufacturer's various hardware and software modifications for each device produced (assuming manufacturers would even give them that info).
"What does a pure software component, WebView, have anything to do with hardware drivers? Nothing."
Now, here is where you have a solid argument. Google could release a patch for each Android version affected rather than require an upgrade to a new Android version to resolve the issue. That's not an unreasonable request for maintenance on 2 year old software. Even then, it would be up to the manufacturers to compile and test the code for their devices, then to release it.
I'm not sure there's much of an argument if the devices could be upgraded instead of patched. MOST of them can be upgraded to Android 5 - it was designed to have a smaller footprint so that even older devices that couldn't take previous updates could upgrade to 5. Either way, it'd be the device manufacturers' responsibility to test and push out the update.
Your device manufacturer chose the hardware configuration, modified the OS, and accepted responsibility for supporting the hardware AND software updates for the device. That's why it's their fault and not Google's. Android 5 can be run with few modifications on practically any device that could run Android 4 (ice cream sandwich) which came out 3 or 4 years ago. There's no reason each and every device manufacturer couldn't recompile from source, test, and push out the very latest Android to just about every device out there. Why haven't they? Because they don't care about long term support. They are in the business of selling you a NEW device, not maintaining your old one beyond a reasonable time for them not to be sued.
Want to blame someone? Manufacturer FIRST, then Carrier, then Google. Google's done their part IMHO by releasing free fully patched OSes for the manufacturer. It's not their fault if the manufacturer refuses to compile, test, and push out the updates (with their carriers' blessings) which they accepted full responsibility for doing.