Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Jellybean upgrade too hard for Choc Factory, but not for YOU

Patching WebKit would be unsafe, Google tells 960 million users

Google says it won't patch Android Jellybean because it's too hard.

The company revealed earlier this month that it would not fix vulnerabilities found in WebView, the core component used to render web pages on older Android devices.

Android engineer lead Adrian Ludwig said it was too hard to squeeze a patch into Webview's WebKit engine which was five million lines of code deep.

"WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely," Ludwig said.

"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices."

Despite the risks, Google is welcoming patches developed by the community.

Falling Jellybean user numbers is the most positive spin that can be placed on the decision however as nearly a billion devices or 60 percent of the total Android user base were estimated to run on the platform, according to Rapid 7.

Metaspoloit engineer Tod Beardsley discovered Google's unwillingness to patch the Android iteration after he reported a WebView flaw to its security team.

"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue ... if patches are provided with the report or put into AOSP we are happy to provide them to partners as well," the Google team reportedly said.

Beardsely said at the time Google should patch WebView given the large number of users on the older platform and not jettison fixes just because it was outdated.

"I empathize with their decision to cut legacy software loose [but] a billion people don't rely on old versions of my software to manage and safeguard the most personal details of their lives," he said.

"In that light, I'm hoping Google reconsiders if [or] when the next privacy-busting vulnerability becomes public knowledge." ®

Similar topics

TIP US OFF

Send us news


Other stories you might like