Google patch policy leaves over 900 million Android users out in the cold

When a version of Windows reaches the end of its normal support, as Windows 7 has today, Microsoft continues to provide security patches for an extended time.

Google it seems prefers to take a tougher line and is not issuing patches for versions of Android prior to 4.4 KitKat, leaving millions of users of older versions out in the cold.

The policy came to light when researchers at security company Rapid 7 reported a vulnerability in WebView -- a core component used to render web pages -- on pre 4.4 versions of the OS and received the following reply:

"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch".

In other words security companies are now expected to report a bug along with a patch to fix it. Otherwise Google will simply inform manufacturers like Samsung and Motorola and expect them to provide fixes for their handsets. Imagine for a moment if you reported a Windows bug and Microsoft told you you had to call Lenovo or Dell to get a fix for your PC.

This potentially puts over 900 million Android devices out of the loop when it comes to getting security patches. Given that many of these will be budget phones and tablets that won't have the option to upgrade to a later version they're likely to remain vulnerable.

Of course Android is open source so handset makers -- or anyone else -- can come up with a patch. However, leaving this to chance seems like a short-sighted policy on Google's behalf and could dent long-term confidence in the operating system, particularly when it comes to safeguarding personal details.

On its blog Rapid 7 urges Google to reconsider. Whether or not it will have a change of heart we'll have to wait and see.

Image Credit: Gary Ham