The latest report shows that almost 60% of Android users are exposed to security risk. While the total number of this percentage counts to b almost one billion, Google has clearly said that it has no intention of fixing the security issues of the users who are under the risk.
The Android devices, which run in versions 4.3 JellyBean or below, are the ones which fall within the line of the risk. The WebView tool on those devices, which is used by Android to render Web pages is the one which is exposed to risk. In the KitKat or later versions, the WebView was replaced by a Chromium-based version of the same, which does not have any such issues.
Tod Beardsley and Joe Vennix from security firm Rapid7 and independent vulnerability finder Rafay Baloch contacted Google to let it know about the loophole. The duo of Rapid7 have found out 11 separate vulnerabilities till now, and have been contacting Google every now and then to let them know about the issue. However, they report that Google is not showing any interest in fixing the issue, and lets the users to be at risk.
Beardsley, in his post, writes, “WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.” He further writes, “It would appear that over 930 million Android phones are now out of official Google security patch support. Any new bug discovered in ‘legacy’ Android is going to last as a mass-market exploit vector for a long, long time.”
Under the same topic of the security vulnerability issue, Adrian Ludwig, Google’s chief of Security writes, “Keeping software up to date is one of the greatest challenges in security. Because the browser app is based on a version of the WebKit browser engine that’s now more than two years old, fixing the vulnerability in Android Jelly Bean and earlier versions is “no longer practical to do safely.”
Well, as of most of the devices running on JellyBean are mid to low-ended, and they have no any chance of getting updated to KitKat or above. Though the percentage of KitKat is rising, Lollipop was shown to run in less than 0.1% of all the Android devices till the end of December 2015 (we hope it to change by the end of this month). Google’s officials’ response at the topic shows that they are not going to fix the issue, and hence, for the users, it would be now better to buy a device which operates on versions of KitKat or higher.