Google refuses to patch OS vulnerability

Many manufacturers offer security updates for older products by using different strategies. For example, there are some like Microsoft that are inclined to offer security updates for a period of time after stopping from selling an operating system. Others like in the case of Google and Apple offer small timelines for security updates.

Google denies fixing bugs in Android 4.3 or earlier and it does not care about the fact that those bugs could reveal critical vulnerabilities on almost a billion devices.

As a matter of fact, the bugs affect Android 4.1 to 4.3, or Jelly Bean, which was released in 2012 and represented the first version of Android until late 2013. Google has constantly fixed problems in Android`s WebView analysis engine. Before the apparition of KitKat ( Android 4.4), all Android`s variants made use of this analysis engine which could be accessed by the Android Browser for rendering HTML webpages. So, with KitKat and Lollipop, Google upgraded the operating system to use a WebView plugin that comes from its Chromium project.

When Security form Rapid7 told Google that Android 4.3 and below were defenseless, Google`s reaction raised various questions. The company said that they will not offer the patches if the version of WebView is older than 4.4, but they will take into account patches for consideration. Also, they will only take into OEMs attention only the problems that affect versions after 4.4 that come with a patch. This means that security staff is expected to offer a patch to fix an issue when it is reported. If this happens, Google will take into account that patch in order to acknowledge if it actually solves the bug. If the response is negative, Google will only inform many OEMs of the problem. In other words, Google is saying to its user community that they have to get an updated version of their operating system from Samsung, LG and Motorola. This is not achievable.

The regular phone or tablet user has no means to upgrade its operating system unless the carrier will offer him an OTA update. The fact that there are two year upgrade cycles means that many people will be facing broken devices with the acknowledgement that Google will not provide any fixing.

How Google tries to push OEMs off open-source Android

The main reason why Google stopped fixing Android Browser problems is the fact that the company is turning towards getting OEMs to stop using Android`s open-source features. This is meant to change them with features licensed strictly from Google. Anyway, Google is not planning to kill Android. The company only tries to make sure that the only parts of the program that can benefit from feature updates, capability improvements and performance enhancements are those that need licensing agreements. By Passing all the responsibility for security updates on carriers and security researchers, Google is stating the fact that OEMs can agree to its licensing terms or simply carry the burden of providing security updates that they are not able to do and do not have the funds to. Bottom line, while Google fights its war, users will be those who will suffer from bugs and devices that do not work properly. Google is exposing over a billion Android users by not patching OS vulnerabilities. We will see what comes next!