Google: Fixing vulnerable OS is too dangerous

See if you can follow the logic on this one: Google knows its Android 4.3 Jelly Bean OS is vulnerable, but it’s not going to fix it because it could wind up being too dangerous. 

The two-year-old mobile operating system recently was found to have a vulnerability in WebView, a component of mobile browsers on older Android devices. When that vulnerability was reported to Google, the company responded that it would not be doing anything to patch it.

Now Android engineer Adrian Ludwig is explaining why:

“Until recently we have also provided backports for the version of WebKit that is used by Webview on Android 4.3 and earlier. But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely. With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices.”

While its true that people are getting newer devices and upgrading every day, that’s not the full story. It’s estimated that 60% of Android users are still on the outdated operating system.

That’s 960 million devices worldwide.

Upgrading isn’t always a priority

Apple isn’t even hitting upgrade rates as well as it once did, but it’s still far ahead of Google. And it’s not always users’ fault that they aren’t upgrading.

Frequently, carriers don’t make updated mobile operating systems available. If they do, users may not have enough room on their devices to install the safer versions.

And the argument that users who want a secure operating system should purchase a new device is a sentiment that very few manufacturers will come right out and say, but it’s essentially what it all boils down to.

Your best bet is to urge users to upgrade to more recent and secure versions of their mobile operating systems. If they’re using the devices as part of a BYOD program, you may even want to make it a requirement.

And as a workaround for this specific WebView issue, instruct users to use a secure mobile browser, such as Chrome or Firefox, instead of the one that comes with the phone. Those browsers are frequently updated, and users should make sure they’re applying updates as they become available.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy