Google will no longer patch Android phones running versions prior to 4.4 (KitKat), despite almost a billion mobile and tablet users running earlier editions of the operating system, security firm Rapid7 has revealed.
An email exchange with the Android support team showed that WebView, a tool used to render web pages, was no longer being patched by Google in old versions of Android, with the search engine refusing to accept bug reports that did not come with a patch.
Tod Beardsley, a security researcher at Rapid7, said: "I’ve never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google’s position."
"This change in security policy seemed so bizarre, in fact, that I couldn’t believe that it was actually official Google policy. So, I followed up and asked for confirmation on what was told to the vulnerability reporter. In response, I got a nearly identical statement from security@android.com."
Figures from the Android developer dashboard showed almost two-thirds of users are still running Android software older than version KitKat, leading Beardsley to conclude that a majority of users "are now out of official Google security patch support".
"As a software developer, I know that supporting old versions of my software is a huge hassle. I empathize with their decision to cut legacy software loose," Beardsley added.
"However, a billion people don’t rely on old versions of my software to manage and safeguard the most personal details of their lives. In that light, I’m hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge."
