This week, Rapid7 security researcher Todd Beardsley strongly criticized Google for not patching a security vulnerability that he disclosed to the search giant.
The security flaw disclosed by Beardsley is in the WebView component that is part of the default Android Web browser in versions of Android prior to 4.4 KitKat. According to Beardsley, Google told him it would not patch any versions of Android prior to 4.4 for WebView.
The problem with not providing a fix for versions of Android prior to 4.4 is simple and yet quite profound. Versions of Android prior to 4.4 are more dominant than later versions, with over 900 million pre-Android 4.4 devices in the market today. That doesn’t mean, however, that the sky is falling and that all users of Android devices prior to 4.4 should trash their phones. The flaw that Beardsley reported is in a specific component of Android known as WebView, and Google’s comments about patching specifically relate to providing a patch for WebView.