Google Explains Why Billion User Flaw Is Too Much Trouble to Bother Fixing

Google Explains Why Billion User Flaw Is Too Much Trouble to Bother Fixing

by Pete Daniel on 29 January 2015 · 1977 views

Google engineer Adrian Ludwig has stepped up to defend the reason why the company has chosen to not update pre-KitKat versions of Android to deal with a WebView vulnerability that affects over 60 percent (or just under 1 billion mobile devices) of their existing user base.

2 full Google Explains Why Billion User Flaw Is Too Much Trouble to Bother Fixing

Google "Outs" Microsoft Bugs, Fails to Fix Their Own Android OS

Ironically the company chose to “out” Microsoft on two recent occasions when the search company discovered vulnerabilities in Microsoft releases and chose to publicize them before Microsoft could release a patch. Days later, Google declines to bother issuing a patch themselves. Like. Ever. Nicely done.

Fixing The Bug Not Worth It For Older Versions

Now Adrian Ludwig, a Google engineer, has confirmed that providing a fix to WebView which is present on all these pre-KitKat devices would necessitate many code alterations that would ultimately break other functionality in the process. As a result, the company doesn't feel like it is a viable choice to fix WebView.

Developers Advised to only use WebView Components to Access Secure Sites

Ludwig also noted that developers who need to use WebView in their applications (which is used to help render pages in Android) as a component only to load up secure and trust websites. This is because it is the insecure, malicious websites that are the problem here.

Google Is Fixing The Bug in KitKat and Lollipop

Google is actually working on providing security updates to OEMs to address the same bug in Android KitKat 4.x and Android Lollipop 5.0 presently. So apparently it doesn't break so much that it is too much trouble to fix newer versions of Android. Just the older versions...

Duty of Care Lacking for Android JellyBean and Older Versions

This is quite remarkable really. The argument is being made that people will upgrade their device at some point and therefore it is too much work to bother to fix older versions of Android. Lets just leave the users vulnerable and to hell with it, basically. Nice attitude towards over 930 million users. Ludwig also commented that the vulnerable user base is reducing every day.. down from a high base of 930 million... could take a while...

So the final word on Android's older versions is that they will not update them and will not support them. But they will leave the customer swinging in the wind. And if you happen to visit a malicious site accidentally that exploits the WebView vulnerability, and you suffer identity theft and financial loss. Well, pal, you're on your own. Cool, eh?!

Comments (0)
Featured Articles