Why Google won't fix a security bug in almost a billion Android phones

A day after Google publicized a flaw in Windows 8.1 before Microsoft could do anything about it, news broke about a security vulnerability in Android that the Mountain View company, well, won't fix at all. Rafay Baloch, an independent researcher, and Joe Vennix, an engineer at Rapid7 (a security and data analytics firm) found a serious bug in the WebView component of Android 4.3 and below. It's an older bit of software that lets apps view webpages without launching a separate app, and the bug in question potentially opens up affected phones to malicious hackers. Android 4.4 and 5.0 are unaffected by the bug, but as 60 percent of Android users -- that's close to a billion people -- still use Android 4.3 or lower, it still affects a lot of people. Unfortunately, as Tod Beardsley, a Rapid7 analyst, found out, there's no easy way for Google to fix it.

The quote from Google to Beardsley is as follows:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

According to Beardsley, it seems that Jelly Bean devices are simply too old to support -- supporting old software versions is fairly unusual, after all. The truth of the matter is that WebView support in older builds of Android is baked firmly into the operating system, making it much harder for Google to roll out an update to affected devices. However, as Android 4.4 and Android 5.0 are already patched, the onus is then put on the various OEMs and carriers to issue a patch instead.

Google has mitigated this issue in newer versions of Android by dropping WebView from the core OS and incorporating it into the Google Play Services 'app'. Google can issue updates via an update via the Play Store, patching bugs like these as they're discovered. In this case, Beardsley asks Google to reconsider, due to the wider consequences this security flaw could potentially unravel, but in reality Google has its hands tied.

Update: This article has been changed to explain why Google cannot patch the WebView bug in Android.

[Image credit: Phillip Bond / Alamy]