Google is discontinuing patches for the Android web browser for users with devices running on Android Jelly Bean and earlier.
With 60 percent of Android users falling into that camp, it translates to about 930 million vulnerable devices.
The component in question is WebView, which, true to its name is what’s used to render webpages. It’s been phased out in the Android OS since Kit Kat was released (OS version 4.4).
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,” Google told Rapid7. “Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
“On its face, this seems like a reasonable decision,” said Tod Beardsley, senior manager of engineering at Rapid7, speaking to Kaspersky Lab. “Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds; heck, many vendors drop support once the next version is released, and many others don’t have a clear End-Of-Life (EOL) policy at all.”
What it means though is that OEMs and service providers will need to take over the task of both developing patches and pushing them out—not an ideal turn of events.
“The update chain for Android already requires the handset manufacturers and service carriers to sign off on updates that are originated from Google, and I cannot imagine this process will be improved once Google itself has opted out of the patching business,” Beardsley said. “After all, is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?”