As Google is on fire for publishing windows bug two days before Microsoft release a fix, company is now not updating its own software security. Google had announced that company has decided to end support for older version of Android WebView.
There are more than 100 million of devices that are running on Android version 4.3 Jelly Beans or earlier version and Google leaves all of these devices under threats.
WebView is the embeddable browser control powered by a version of the WebKit rendering engine used in Android apps. This has been replace in the Android 4.4 KitKat and Android 5.0 Lollipop, as they use Blink rather than WebKit for their WebView and hence is unaffected from bug.
Tod Beardsley, a security analyst from Rapid7 have discovered a critical bug in the WebView component of Android 4.3 and earlier that possibly left millions of Android smartphone users vulnerable to hackers.
In principle, most phones running Android 4.3 or below could receive major updates to 4.4 or even 5.0, and eliminate the bug in that manner. Google's position is complicated, because it has produced a platform that it has no power to update. There's no Windows Update for Android phones, and Google has no ability to push out updates to the operating system; it has to depend on a range of OEMs and network operators to adopt its source code changes and distribute them to users.
There are more than 100 million of devices that are running on Android version 4.3 Jelly Beans or earlier version and Google leaves all of these devices under threats.
WebView is the embeddable browser control powered by a version of the WebKit rendering engine used in Android apps. This has been replace in the Android 4.4 KitKat and Android 5.0 Lollipop, as they use Blink rather than WebKit for their WebView and hence is unaffected from bug.
Beardsley had reported the vulnerability to Google but the replied from the search giants have everyone shocked. Beardsley quoted the replied statement made by Google which reads-
"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."So, Google is no longer going to be providing security patches for 4.3 or earlier version but the company has said that it will welcome third-party patches
"Google's reasoning for this policy shift is that they 'no longer certify 3rd party devices that include the Android Browser', and 'the best way to ensure that Android devices are secure is to update them to the latest version of Android'," explained Beardsley.
This improved servicing and maintenance is one of the reasons that Google has been pushing more features into APKs and out of the Android OS. But it does little to help the 60 percent of Android users who are currently at risk