Google has no plans to fix a security hole in the default browser for
older versions of Android, which are relied on by around 60 percent of
all Android users.
People with Android smartphones and tablets running
older versions of the mobile operating system -- around 60 percent of
all Android users -- are going to have to live with a security flaw
Google has decided not to fix. A known security
bug in the default, unbranded Web browser for Android 4.3 Jelly Bean and
older versions of Google's mobile OS will go unpatched, Google's chief
of security for Android wrote in a Google+ post on Friday.
"Keeping software up to date is one of the greatest challenges
in security," Adrian Ludwig wrote. Because the browser app is based on a
version of the WebKit browser engine that's now more than two years
old, fixing the vulnerability in Android Jelly Bean and earlier versions
is "no longer practical to do safely," he wrote.
Google confirmed on Saturday that Ludwig's post is the company's official position on the matter.
The company's decision has upset security experts, who worry
hackers will be able to easily target the hundreds of millions of people
using phones and tablets
that run older versions of Android. Ludwig contends the number of
people potentially affected by the vulnerability is "shrinking every
day." But for security professionals, it's just not shrinking fast
enough.
According to Google's own Android usage numbers,
39.1 percent of its smartphones and tablets run a newer, unaffected
version of Android: 4.4 KitKat. The most recent version of the operating
system, Android 5.0 Lollipop released in November, makes up less than
one-tenth of 1 percent of Android devices in use. That means about 60
percent of Android devices run versions of the OS that included the
susceptible browser by default.
The consequence
of having so many people running so many different versions of the same
operating system is that it becomes far more complicated to protect
them, wrote Tod Beardsley, an engineering manager at security firm
Rapid7. "Unfortunately, this is great news for criminals for the simple
reason that, for real bad guys, pretty much everything is in scope," he
wrote in a blog post. Upgrading to a new Android phone or tablet isn't an option for many people, Beardsley said, because while the latest Nexus phone
running the latest version of Android retails for $649.99, Amazon sells
new, out-of-the-box Android phones running older versions of the
operating system for one-tenth the price.
Ludwig recommends people on Android 4.3 or older use a different
Web browser. He suggests Google Chrome, which works on Android 4.0 Ice
Cream Sandwich and newer, or Mozilla Firefox,
which works on Android 2.3 Gingerbread and newer. However, switching
browsers won't fully address the flaw since it affects the part of the
default browser that apps tap into to display websites. Ludwig asks app
developers to restrict loading content in their apps that doesn't come
from the Android device itself, or over a secure connection.
Beardsley said he empathizes with Google's decision because of
the difficulties in updating old computer code. But he said he hopes the
company revisits its decision in light of the huge number of people who
depend on Android "to manage and safeguard the most personal details of
their lives."
0 Comments:
Post a Comment
Your comment and facebook share will be appreciated