Because of the fact that Google’s Android mobile operating system is more open than the competing platforms out there — and we mainly refer to Apple’s iOS and Microsoft’s Windows Phone/Windows — it is also more prone to vulnerabilities. There have been a lot of reports in the past (some confirmed, some not) concerning different vulnerabilities (many of those confirmed have also been fixed), but fixes usually come as part of operating system upgrades, either in major releases (like 4.0, 5.0), or through point-updates (5.0.1, 5.0.2).
And then there are those problems which are not fixed, like this web vulnerability which is present on some older Android phones, and which is not getting a fix from the search giant. Apparently, the Mountain View-based company has a good reason for not fixing it: according to the company’s own Adrian Ludwig, it appears to be no longer “viable” to fix Android WebView versions of the operating system dating before version 4.4, with a patch.
“Keeping software up to date is one of the greatest challenges in security”, Ludwig noted. “But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely. With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices”, he says.
However, there are two fixes (or workarounds, really), which are up to the user: updating to a more recent version of Android (and this one does also depend on Google), or downloading a different browser, like Google’s Chrome or Firefox, to use instead of the default browser in which this vulnerability exists. Even so, a lot of users will continue to be exposed, as many don’t know about other web browsers aside from the stock one, or simply can’t easily install Chrome for instance on devices with no Google Play Store out of the box.
Source: Adrian Ludwig, The Wall Street Journal
Via:Â Android Police
More coverage: Engadget