Google’s initial plan was to provide security updates for the older versions of its Android mobile operating systems, but not the search engine giant has announced that it will not provide the updates any more.
This means that more than a billion users face growing security risks to their phones or tablets.
The WebView is the piece of software that Google is dropping support for, replaced in version 4.4 with a new component taken from Google’s browser, Chrome.
Tod Beardsley, a researcher at security firm Rapid7 said: “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
The reason for this is largely down to the number of security flaws found in the software, at least in part because it incorporates support for Adobe Flash which has simply proven too difficult to secure — ironically, as it was something Google touted as a plus for Android when Apple dropped Flash support for the iPhone.
There was no official announcement. In response to security researchers Rapid7, which had reported another WebView bug that needed fixing, Google responded:
So, Google is no longer fixing problems in anything but their latest (Android 5.0/Lollipop) or second-latest (Android 4.4/Kit Kat) versions, offloading the responsibility to either those that find the flaw, other interested developers, or phone manufacturers such as Samsung, HTC or LG.
Android is an open-source operating system developed jointly by Google and other interested developers around the world who are able to update and maintain the code base, while Google manages and steers the project. By making Android an open-source project, Google increases the community’s ownership of the project, encouraging others to work on it. This approach is contrary to Google’s competitors — Apple’s iOS and Microsoft’s Windows Phone — which develop their operating systems entirely in-house and keep tight control of their code.
Google’s decision makes more sense with that in mind: the code for Apple and Microsoft’s operating systems is closed, so those firms wouldn’t be able to hand off their responsibility in this way. But Google can at least offer others the chance to tackle the problems.
Ultimately, the key message is that we need to start thinking of mobile devices as computers, not just phones, with all the caveats about security software, updates and precautions which that entails.