Google won’t fix security bug in nearly a billion Android phones, hopes users will solve it

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

A security bug affecting a billion phones running Android will not be fixed because the software is too old.

There is a serious flaw in WebView, the piece of software that Android used to render webpages up until KitKat (version 4.4) and found by security analyst Tod Beardsley. But because the software is old, Google will not be developing a fix for the problem.

Instead, makers of phones or others will be expected to create patches that will stop the bug.

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,” the Android security team told Beardsley. “Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”

Google says that devices running older versions of Android, such as Jelly Bean, are now too old for it to continue supporting them. Beardsley points out that many other software companies drop support for older software, and the affected versions are two back from Lollipop, the current release.

But Android phones are notoriously slow to get updated, and many manufacturers are still shipping out older versions of the operating system.

The current release, Lollipop, accounts for only 0.1% of the market according to Google’s Android Developer Dashboard, and more than 60% of devices are running the vulnerable software.

That means that over 930 million Android phones have the problem and will not be able to get it fixed, according to Beardsley.