People with Android smartphones and tablets running older versions of the mobile operating system — around 60 percent of all Android users — are going to have to live with a security flaw Google has decided not to fix.
A known security bug in the default, unbranded Web browser for Android 4.3 Jelly Bean and older versions of Google’s mobile OS will go unpatched, Google’s chief of security for Android wrote in a Google+ post on Friday.
“Keeping software up to date is one of the greatest challenges in security,” Adrian Ludwig wrote. Because the browser app is based on a version of the WebKit browser engine that’s now more than two years old, fixing the vulnerability in Android Jelly Bean and earlier versions is “no longer practical to do safely,” he wrote.
Google confirmed on Saturday that Ludwig’s post is the company’s official position on the matter.
The company’s decision has upset security experts, who worry hackers will be able to easily target the hundreds of millions of people using phones and tablets that run older versions of Android. Ludwig contends the number of people potentially affected by the vulnerability is “shrinking every day.” But for security professionals, it’s just not shrinking fast enough.
According to Google’s own Android usage numbers, 39.1 percent of its smartphones and tablets run a newer, unaffected version of Android: 4.4 KitKat. The most recent version of the operating system, Android 5.0 Lollipop released in November, makes up less than one-tenth of 1 percent of Android devices in use. That means about 60 percent of Android devices run versions of the OS that included the susceptible browser by default.
The consequence of having so many people running so many different versions of the same operating system is that it becomes far more complicated to protect them, wrote Tod Beardsley, an engineering manager at security firm Rapid7. “Unfortunately, this is great news for criminals for the simple reason that, for real bad guys, pretty much everything is in scope,” he wrote in a blog post.
Upgrading to a new Android phone or tablet isn’t an option for many people, Beardsley said, because while the latest Nexus phone running the latest version of Android retails for $649.99, Amazon sells new, out-of-the-box Android phones running older versions of the operating system for one-tenth the price.
Ludwig recommends people on Android 4.3 or older use a different Web browser. He suggests Google Chrome, which works on Android 4.0 Ice Cream Sandwich and newer, or Mozilla Firefox, which works on Android 2.3 Gingerbread and newer. However, switching browsers won’t fully address the flaw since it affects the part of the default browser that apps tap into to display websites. Ludwig asks app developers to restrict loading content in their apps that doesn’t come from the Android device itself, or over a secure connection.
Beardsley said he empathizes with Google’s decision because of the difficulties in updating old computer code. But he said he hopes the company revisits its decision in light of the huge number of people who depend on Android “to manage and safeguard the most personal details of their lives.”