Wednesday, 28 January 2015

Google refuses Android patch for bug hitting a billion devices

Google bug

What happened?


Google has said it won’t fix a bug in Android, despite the fact that it will leave a billion phones and tablets vulnerable worldwide.

The bug, discovered by researchers at security firm Rapid7, is in a component called WebView, which Android uses to show web pages in apps that aren’t browsers, such as when you click a link in Twitter. It affects versions of Android older than KitKat (4.4) which, Google claims, is now too old for the company to invest time and resources to fix.


"If the affected version is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration," Google told Rapid7.

This means that unless a security firm releases a fix approved by Google, any device running Android Jelly Bean (4.1 to 4.3) or a previous version will be at risk of being hacked. According to Google's statistics, around two-thirds of Android phones and tablets run Jelly Bean or earlier. Jelly Bean was released in mid-2012 and is used on more devices than its successor KitKat.

Google isn’t just being difficult or trying to force users to buy newer devices. The affected part of WebView, the WebKit rendering engine, was replaced by a new system called Blink in Android 4.4 and 5. This makes it difficult for Google to update, because the company would have to issue an update via manufacturers and mobile operators. It has done this in the past, such as for last year’s Heartbleed flaw, but it is a rare occurrence.

How will it affect you?


If you use a device that runs Jelly Bean or earlier, don’t panic. Hackers haven’t yet exploited the flaw, and it’s unclear whether it is serious enough to let them infiltrate a device. However, with so many phones and tablets vulnerable, you can bet they will be trying to. If you were considering buying an Android 4.3 device, no matter how cheap it may now be, you should certainly think twice.

Because WebKit isn’t being updated in older phones, it’s a good move to download and use an alternative browser that will receive updates, rather than sticking with the standard Android one. However, this flaw is in WebView, which is also used by apps that aren’t browsers. This means that you should follow safe web-surfing advice by being extra cautious when clicking a link you’re unsure about.

It’s also worth keeping an eye out for a security fix. Perhaps a company out there will see it is a smart way of winning the hearts and minds of a billion Android users.

What do we think?


What a disappointing response from Google. The tech giant seems to be telling us that devices a mere two years old are too ancient to be fixed, yet its own numbers show that despite new smartphones selling in their millions every year, most of us are on older handsets. Maybe we just want to stick with what’s familiar, or have inherited a handset when a friend or family member upgraded, or are waiting for an upgrade of our own. Either way, the onus is on Google to issue key updates. How did it manage to design a system that was so difficult to maintain?

Imagine the backlash if a major flaw were to hit Windows and Microsoft refused to update it. Indeed, last year Microsoft said it would stop issuing security updates for Windows XP -which came out in 2001 - but when a major flaw was found soon afterwards, the company relented and released a patch to help protect users.

It’s fair to point out that the problem isn’t only with Google: manufacturers and mobile operators aren’t very good at pushing out updates that are issued. But rather than give up, Google could use its considerable power to implement a better system. We think the company should be working harder to keep its many users safe.