Google deals out 'tough love' as it ends security updates for a billion Android users

Google deals out 'tough love' as it ends security updates for a billion Android users
Android’s long tail - many users still run older versions. Credit: Erikrespo/Google data, CC BY-SA

Google's announcement that it will not provide security updates for older versions of its Android mobile operating system means that more than a billion users face growing security risks to their phones or tablets.

While Android phones and have grown exponentially in popularity, from 4% market share in 2009 to 84% in 2014, by abandoning support for versions prior to Android 4.4 "Kit Kat" Google's decision affects more than 60% of Android users running older versions that will now be vulnerable.

At the heart of this announcement is a piece of software called WebView, a component of the built-in web browser in earlier versions of Android, but which also turns up in many apps. It is WebView that Google is dropping support for, replaced in version 4.4 with a new component taken from Google's browser, Chrome.

The reason for this is largely down to the number of security flaws found in the software, at least in part because it incorporates support for Adobe Flash which has simply proven too difficult to secure – ironically, as it was something Google touted as a plus for Android when Apple dropped Flash support for the iPhone.

There was no official announcement. In response to security researchers Rapid7 who had reported another WebView bug that needed fixing, Google responded:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

Many hands make light work

So Google is no longer fixing problems in anything but their latest (Android 5.0/Lollipop) or second-latest (Android 4.4/Kit Kat) versions, offloading the responsibility to either those that find the flaw, other interested developers, or phone manufacturers such as Samsung, HTC, or LG.

Android is an open-source operating system developed jointly by Google and other interested developers around the world who are able to update and maintain the codebase, while Google manages and steers the project. By making Android an open-source project, Google increases the community's ownership of the project, encouraging others to work on it. This approach is contrary to Google's competitors – Apple's iOS and Microsoft's Windows Phone – who develop their operating systems entirely in-house and keep tight control of their code.

So Google's decision makes more sense with that in mind – the code for Apple and Microsoft's operating systems is closed, so those firms wouldn't be able to hand off their responsibility in this way. But Google can at least offer others the chance to tackle the problems.

Keeping you and your data safe

Our mobile phones are used for sensitive activities – from logging in to websites filled with personal data, to online banking or online shopping. It's important to keep any software on any device – phone, tablet, or computer – up-to-date with the latest versions that patch those flaws and vulnerabilities that have been discovered. Encouraging more people to use the latest versions has been a key part of Google's approach, through automatic updates and cloud services.

However, mobile phone manufacturers are keen to sell us their latest phones. Providing ongoing support for older phones is expensive and phone manufacturers, and especially the telecoms companies that sell them to us, are already terrible at updating phones, generally dropping support for older models as soon as they can. Expecting them to provide regular seems far-fetched.

The upshot is that now phones even less than a year old are potentially vulnerable – Android 4.4 may have been "released" in late 2013, but new phones were arriving with 4.3 installed well into 2014. So, what can we do? Buy a new Android phone, or switch to Apple, Microsoft, or Blackberry?

Apple devices are considered by some to be more secure because of the tightly controlled ecosystem, from the operating system code to the vetting of apps in the App Store. But even iOS is not immune. Part of Android's appeal is the fact that it is open: easy to access and customise, but with a greater risk from rogue apps, viruses, and hacks. It also means that, with the requisite technical skill and patience, Android users can tackle these problems themselves, unlocking, upgrading and customising their own devices as they like – such is the way with open source.

The moral of the story

So, are Google setting more than half their users up for a fall? In practice this may not have a huge impact for most. It may encourage and the telecoms companies that sell them on to us to be more forthcoming with software updates for their devices, reducing the number of devices running out-of-date software.

Ultimately, the key message is that we need to start thinking of mobile devices as computers, not just phones, with all the caveats about security software, updates and precautions which that entails. This could be the tough love from Google that pushes people in that direction.

Explore further

Android L makes sense, even if it doesn't set the world alight

This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).
The Conversation

Citation: Google deals out 'tough love' as it ends security updates for a billion Android users (2015, January 19) retrieved 18 June 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Jan 20, 2015
I'd be a little more inclined to blame my phone manufacturer, or maybe my service provider. Support (e.g. upgrades to the latest OS release) need not be expensive. It becomes so if someone in the middle chooses to encrust the vanilla OS in "value added" customization and crapware.

On Flash: considering all the effort Adobe has invested in patching its vulnerabilities, by this point they probably could have re-written it, securely, from the ground up.

Jan 20, 2015
I agree with alfie, google does not control the hardware of all manufacturer's therefore they can't possibly include the drivers for all the different hardware that all vendors choose to use. Don't blame Google, they support their branded phones for years just like apple. I had a nexus one (produced by HTC) and after 4 years of having it I gave it to my sister in-law, it started with android 2.x and if your willing you can even get 4.4 for it via xda-developers... You can on fault google on their branded phones do a quick uh google search for "nexus factory images" and you will see how long they support their devices.

It's funny when Microsoft was doing the same thing in the desktop side of things that was a bonus but on mobile it isn't. Look at the market penetration of Windows versus anyone else, look at the market penetration of Android vs anything else.... same thing.

Jan 20, 2015

As a security researcher I can say with confidence nothing is "safe" so trying to play that card is a pill of male cow manure. Here is the trick, don't root/jailbreak any device since doing so remove some of the most deep rooted security features... very old versions of android are less functional therefore some of the most recent malware/hacks most likely will not even work on the 2.x versions out there. Learn to compile Android Open Source Project (AOSP) source code, see if there is a version of linux that can be installed on it, start with Arch, Debian or Ubuntu...

With the draconian control that Apple puts on their apps and their cost prohibitive prices it is no wonder they haven't and will not break the 20% market barrier so say what you will think what you want. Just because you want to believe that since you pay more that makes it better in all aspect doesn't make it true.

Jan 20, 2015
Don't install more then what you absolutely need and the best advice is don't make these devices so critical to your everyday life. Just put down the device and walk away, putting your credit card, and other "what will screw you over" information and then expect it to never be broken or hacked is just naive.

The biggest security hole in everything made by anyone is YOU!

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more