There's a Bug in Almost a Billion Android Phones and Google Doesn't Care

By Gerald Lynch on at

If you had a security flaw in a product that affected 60 per cent of your userbase, you'd think that it'd be pretty high on your list of priorities to fix. But it appears Google is turning a blind eye on a bug that's leaving almost a billion Android users open to hackers.

Tod Beardsley, analyst from security and data analytics firm Rapid7 found an issue with the way that the Webview component (which lets apps open webpages without having to fire up a separate browser app) of Android 4.3 and below works, allowing hackers access to a user's sensitive information. Though Android 5.0 and 4.4 are unaffected, the majority of Android users are still on devices running Android 4.3 or older, leaving a huge number of smartphone users open to attack.

However, Google's response to Beardsley leaves little hope of a fix coming from the Mountain View company any time soon:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

In other words, it'll be down to OEMs and handset manufacturers to plug the good ship Android instead. While it's not unusual for companies to stop supporting older software over time, with just so many people potentially affected, Google may be storing up more problems for itself by not acting. [Rapid7 via ArsTechnica]