Since the Googles Project Zero team released information in the past 7 days about two Windows 8.1 bugs, Google itself has come under fire for their tactics. They are also being criticised for how they are dealing with a major bug in their own Android operating system. This bug affects the WebView component of Android 4.3(or earlier). WebView is the core component used to render web pages on devices using Android 4.3(or earlier). This is not the case with Android KitKat (4.4) and lollipop (5.0) as Blink is used instead.
As 60 percent of Android users are on Android 4.3 (or earlier), this bug affects 930 million phones and should be viewed as a priority but Google don’t seem to think so and won’t be issuing a patch for the flaw. When a bug is found it is reported to Google who then develop a fix and publish it as part of Android Open Source Project release. In this case the bug was reported to Google and no fix will be made available.
The Android security team said “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch”. They also said “If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue[…] If patches are provided with the report or put into AOSP we are happy to provide them to partners as well”.
If Google were to release a patch, phone manufacturers would then have to modify the update before releasing it to mobile carriers who would then test and validate it before they release it. This can take around 6-9 months before they release it to their customers. Sadly this won’t be happening and most mobile phone users won’t be given the option of upgrading their phones to KitKat or even Lollipop.
Manufacturers release so many different Android phones that upgrading them all to KitKat or above will take a lot of work. Also cheaper models may not be able to be upgraded as their hardware cannot handle it. Updating all phone models with a patch from Google would be easier and take less time to update.
You could update to KitKat or Lollipop by getting the latest updates online from various sources, but it may not work as it has not being customised to work with your phone and may cause problems with some of the hardware such as the camera. It is also worth noting that if you update your phone manually you cannot be sure that the KitKat or Lollipop update is not filled with malware.
Google have produced an Operating System that does not have a direct distribution channel to push out updates, unlike Apple or Microsoft, who release updates over the air direct to the phone. Google release their latest major updates to all the Android phone manufacturers who then customise it before they put it on their latest models or release it to the mobile phone carriers (who sell the Android phone).
Google update all their own apps that are available on their Play Store but this is of little consolation to users who cannot get any patches or who cannot safely update their phone to KitKat or Lollipop. This also means that any future bugs will not be patched perhaps causing future security headaches and forcing companies to rethink their BYOD policies.