Android 4.3 Jelly Bean has been discovered to have a security glitch and Google says that they will not provide a patch for it. Sadly, nearly a billion Android users use the Android version 4.3 Jelly Bean and prior versions and they would be not be receiving any patch or update for this flaw in their OS.
The issue is about WebView , a core component which is used to render webpages on Android. This was replaced by a chromium-based WebView in Android 4.4 Kitkat, which is used by the CHrome browser, so the vulnerability only is for Android versions of 4.3 and and previous.
Reportedly, there was a recently discovered vulnerability named”universal cross-site scripting bug” in Android 4.3 and Team Google fixed it up pretty quickly. This must be due to the fact that most of the Android users were on Jelly Bean and the final release of Jelly bean was in October, 2013 which was just a year ago.
But now, due to a new and under-reported policy from the Android Security team, Google will no longer be providing security patched for vulnerabilities that affect Android’s native WebView prior to version 4.4, which makes it clear that Google is intended in supporting only those users of Android 5.0 Lollipop and Android 4.4 Kitkat. Its predecessors like version 4.3 Jelly Bean and prior versions will not enjoy any patches from Google.
Google’s response about the now discovered WebView vulnerability in pre-Kitkat versions of Android says:
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
However, the security team at Android confirmed that pre-Kitkat components such as multi-media players will continue to recieve back-ported patches.
When asked by Google about what caused them to change the policy, they responded saying they no longer certify 3rd party devices that include Android Browser and the best way to improve security of Android devices was to upgrade them to the latest version. Put properly, Googles implies that devices running on Android 4.3 and earlier versions of Android are no longer capable of support from them.
While this can be treated as a normal change when looked from Google’s side, when looked from the consumers end, Lollipop is not even properly rolled out to most of the users and Kitkat is used by only 40% of the Android consumers. This leaves about 60% of Android users and that figures to 930 million users of Android who are put at risk because they use versions earlier then 4.3 of Android on their devices.
What do you think of this policy change by Google which leaves majority of Android users without any choice? Let us know in the comments!
Knowledge improves by mutual sharing of information. So share it.