Google has put a lot of effort into boosting cyber security but when it comes to its own software it seems the search giant has a lot more relaxed attitude than when it concerns someone else's software. Security firm Rapid7 recently discovered a security flaw in the WebView engine of Android 4.3 and below, the response the security researcher received from Google is quite stunning:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
In other words, Google is saying that it doesn't care about security holes in what was the primary version of Android through late 2013. Google says it welcomes patches for consideration and recommends users to take it up with the OEMs if they want a patch, but flatly refuses to maintain security updates for older versions of its software, which admittedly is no easy feat given the fragmented nature of the Android ecosystem.
As ExtremeTech points out, this leaves nearly 1 billion Android devices vulnerable to attack as only 39.1 percent of the userbase runs Android 4.4 "KitKat". Users of most older Android devices, which you can still buy in stores today, have no outlook for a fix other than buying a new phone as most OEMs barely provide support for non-flagship models or devices that have lost their novelty.
What Google is doing, in essence, is telling its user community “Sorry, you have to tell Samsung, LG, and Motorola to provide you with an updated version of our operating system.” This is hilariously impossible. It would never fly in the PC world — imagine Microsoft telling customers “Sorry, you have to make HP, Dell, and Lenovo provide you with a free update for our operating system.” The disparity is even larger if you consider that, in most cases, a computer running a previous version of Windows can be upgraded by the end user to run the next version. That upgrade may be a headache, but system requirements on Windows haven’t budged in nine years.