Slashdot Mirror
Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3
MojoKid writes If you're running Android 4.3 or earlier, you're pretty much out of luck when it comes to a baked-in defense against a WebView vulnerability that was discovered earlier this month by security analyst Tod Beardsley. The vulnerability leaves millions of users open to attack from hackers that choose to exploit the security hole. WebView is a core component of the Android operating system that renders web pages. The good news is that the version of WebView included in Android 4.4 KitKat and Android 5.0 Lollipop is based on Chromium and is not affected by the vulnerability. The bad news is that those running Android 4.3 and earlier are wide open, which means that 60 percent of Android users (or nearly one billion customers) are affected. What's most interesting is that Google has no trouble tossing grenades at the feet of Microsoft and Apple courtesy of its Project Zero program, but doesn't seem to have the resources to fix a vulnerability that affects a substantial portion of the Android user base.
Exactly. I wouldn't blame Google for this, the problem lies with the carriers not upgrading their fleet of phones. Android is now 3 major version releases past 4.3. Would you really expect Microsoft to continue to support Windows XP anymore? They don't, unless business is willing to shell out big bucks for added support.
Carriers should really be to blame.
Two key differences. First, XP came out in 2001. Second, XP support ended last year. But to be fair, I'd be happy if Google would support their OS for even half that long. So, where is that support for Android 1.1?
Realistically, support should last at least as long as the longest contract in the countries their product is used in. If you went with the standard of a 3-year contract (I think there are 4-year contracts, but I'm certain my carrier has 3-year contracts), that would still leave the later releases of Ice Cream Sandwich (4.0) under support. Face it, their Android OS support is abysmal.
Sure I'm paranoid, but am I paranoid enough?
I have a Google Nexus. 4.3 is the last version supporting my phone. The phone does everything I need it to, so I don't want to waste money on a newer one. I think this is a blatant attempt to force people to buy newer phones. All their craplets get updated, but not the Android OS.
The WebView code was originally tied directly to the android version and HW manufactures aren't willing to deploy 4.4 since it would take effort on their part.
4.4 changed WebView and that broke a number of apps.
And not simply broke. Google has removed sizable chunk of WebView functionality because it is not really WebView anymore, it is small Chrome browser window and the features everybody was relying upon where never part of Chrome and as such... tough luck.
To the company with the resources of Google, lame excuses like that are just unacceptable.
All hope abandon ye who enter here.
It would be a major improvement if Android products were supported for even 2 year contract periods.
Google should require manufacturers to provide all Android updates for 2 years minimum and 2 minor versions minimum, and security updates for those minor versions for 4 years minimum.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
Apple released a security patch for iOS 6 when that SSL vulnerability was found. It was a deprecated OS running on a MINORITY of Apple phones and they issued an update anyway. (http://support.apple.com/en-ca/HT202920)
Why are so many people excited to give Google a pass over this? Support your customers or don't, but be up front about how long they're going to get to see updates. If you're going to drop security support after 18 months, at least let everyone know so they can make an informed decision.
Largely because everyone with a clue knows that 99.999% of devices still running Android 4.3.x which haven't been upgraded to 4.4.x have approximately 0.00000 probability of being updated to 4.3.(x+1) even if Google were to make a patch available.
Whether they "support" 4.3 for two days, two years or two decades at this point is largely irrelevant. If you have no means to get a patch to the people affected by the problem and you're going to get criticized irrespective of whether or not you try, then why waste the resources?
And it's pretty darn obvious from what Google's been doing in the last few years that this is not a situation that Google is happy with, nor is it a situation they could reasonably do much more about.
Log in or piss off.
You're off by an order of magnitude.
Samsung, in 2014, released about 3 smartphones per week. Yes, they have over 150 smartphones released in 2014. Tablet wise, I think it was over 1 tablet a week (it was over 50 around October).
It seems a lot of Android manufacturers see Android more as a "fire and forget" style of releases - just get a version of Android, stick it on, sell it, move on.
I mean, supporting 200 brand new Android devices (ignoring 2013 releases and prior) ...