Sign up to our newsletter
Google has revealed that Android smartphones and tablets running versions of the software released before 4.3 (Jellybean) will no longer be given official updates to an important part of the software, leaving 939 million devices unsecured, according to IT Pro.
The part of the Android software affected is WebView, which allows apps to display web pages without having to open other applications. Forbes describes the component as “the favored vector for attack for nearly any remote code execution vulnerability in the mobile OS.”
Security researchers discovered that Google was ending support for WebView on earlier versions of Android when attempting to report a bug in the AOSP browser. According to ZDNet, a member of Android’s security team responded by saying: “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
This means that any bugs found affecting earlier versions of the operating system – which covers around 939 million handsets – will not be fixed by Google. If anyone patches the bugs, Google will incorporate the fixes into the Android Open Source Project code, which is distributed to handset makers, but “that’s where its responsibility stops,” states ZDNet.
The 939 million figure comes from Google’s own numbers on Android version popularity. There is a total of 1.5624 billion Android phones in use, an Google states that 60.1 percent do not run from version 4.4 (KitKat) or later. The latest version of the OS, Lollipop, has so far only been taken up by 0.1 percent of users, but that’s likely to be because most manufacturers and carriers are yet to roll out updates for their handsets and networks.
Despite this, the Android security team will continue to patch other areas of the pre-KitKat Android system, including multimedia players, ZDNet explains.
Author Alan Martin, ESET