Google defends policy to abandon security fixes on Android versions older than KitKat

Is Android finally too fragmented to keep supporting earlier WebKit builds?

Google has defended its decision to stop providing patches for versions of essential software used in versions of Android previous to 4.4 "KitKat". This effectively leaves Android 4.3 and earlier susceptible to security exploits.

The patch concerns WebView, an extension of Android's general View coding class that allows apps to display web pages as part of a layout. WebKit uses the rendering engine WebView to do its work, and it's with this software that the problem apparently lies.

Adrian Ludwig of Android Security posted on his Google+ blog on Friday that "keeping software up to date is one of the greatest challenges in security" and that while Google "invests heavily in making sure Android and Chrome are as a safe as possible", doing this requires frequent updates.

Complaining that WebKit alone is "over five million lines of code" and that "hundreds of developers are adding thousands of new commits every month", Ludwig maintains that backporting to a "two-plus year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely".

Ludwig goes on to say that "with the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices."

But with consumer app directory AppBrain.com reporting that 49.9 per cent of its users (as of 23 January 2015) still use Android versions between 4.1 and 4.3, Ludwig's argument seems hard to defend.

For the same date, AppBrain reports that 36.5 per cent of users are running Android 4.4, while only 0.5 per cent have upgraded to 5.0 "Lollipop" (understandable, as rollout is yet to hit many models outside Android's core Nexus series).

This means only an estimated combined 40 per cent of Android users would be running a build of Android that includes a fully vulnerability-patched build of WebView, should Google continue to refuse support.

Ludwig suggests that "using a [web] browser that is updated through Google Play and using applications that follow security best practices... will help protect users" but this is potentially little help to those using phones too outdated to support such app patches, or who are not aware enough of software updates even to seek them out if they lie beyond the automated update process.