Google has defended its decision to not patch a vulnerability in pre-KitKat versions of Android and suggested that developers use a workaround in their apps.
According to Google's own OS version distribution stats, devices running on versions older than KitKat make up for nearly 61 percent of all smartphones and tablets. This percentage translates roughly into a billion active devices, which Google will be leaving vulnerable by not providing a fix.
Now, Google engineer Adrian Ludwig. has revealed that providing a fix for the WebView vulnerability which exists on these devices, would require a lot of code changes that may break some more things and does not seem like a viable option for the company anymore. Further, Adrian has suggested that developers who need to use the component in their apps should use it only to load secure and trusted websites.
Ludwig has also stated that Google is working on providing security updates for at least two major versions of Android to OEMs, which are KitKat and Lollipop currently. He believes more and more users are upgrading their devices and the vulnerable user base is reducing each day.
So that's the final word from Google. No possibility of an incremental security fix for users stuck on Jelly Bean or earlier and the only way to be assured safety as a user is to upgrade to a device which has one of the latest versions of the OS.
Source: Google+ | Image via Le Blog des Nouvelles Technologies