ok google

Android Headliner: “OK Google. Where Is My Security Fix?”

January 17, 2015 - Written By John Anon

This is the question a lot of older android operating system users might find themselves asking in 2015 and beyond. If you are just joining us, this week has been the week of Google and security. Now, security, is not a new thing. Almost daily, we hear of some form of security news. Sony gets hacked, the US and UK are fighting hard to combat Cyberterrorism, malware, anti-virus, the list goes on. In fact, pretty much since the Internet came to prominence, so did the idea of Cybersecurity. But this week was a little different. It seems if you are running any version of Android below Android 4.4, KitKat (which is essentially most, according to the latest figures), then you will no longer be receiving security updates from Google. In particular, to a feature known as WebView.

To kick things off, it is important to understand what WebView is…or more so…what it does. WebView is a Google feature which allows developers permission to access internet content from within an app. From the end-user perspective, this means you can view internet content much easier, quicker and more conveniently. This is not only a handy feature, but also one which is encouraged by Google to be used. So why does WebView need security updates? Good question. Well, in short. This was not only Google’s preferred means of app-accessing-internet-content, but also hackers preferred means to gain access to your device. This is partly because the WebView allows connections to many other aspects of your phone. Therefore, utilising WebView allows hackers to utilise much more. As such, there is this circle. WebView is highly usable, therefore highly vulnerable, therefore needs more protection and frequent updating.

So, if you ask Google “where is my security update” they could in fact, answer with “it is not my responsibility”. And they would not be completely wrong. Of course, android is their responsibility and whichever way you look at it, the proverbial buck stops with them. That said, they are only part of the solution and by that token, only part of the problem. To put it into perspective, with the release of Android 5.0 (Lollipop) Google unbundled WebView from the Google package and instead loaded it directly to the Play Store. Kinda like what Motorola have been doing for awhile with their apps. One of the reasons they did this is so that they could more effectively offer everyone updates. The current dilemma for Google, is that if there is a security issue with your WebView, Google fixing it is only the start of the healing process. From here, Google has to provide your OEM with the fix. After all, it is your OEM who provides your OTA updates, right? Once the OEM receives the update, they then have to make this compatible with their variant (or skin) of android, test run and finally push to your device in the way of an OTA. Fix applied. The more varied a device is i.e. a carrier specific version of an already tweaked version of android. The more hoops the fix has to go through before it can be applied. So even with Google supporting fixes for older devices, why would OEMs bother or care to provide you with the fix? We already know that once your device is two years old, OEMs pretty much abandon devices.

So, is it the OEMs fault Google won’t continue the support? Well, no, probably not. However, that is probably part of the reason. More relevantly, that is almost certainly the reason why Google unbundled WebView and sent it to the Play Store in the first place. So they could offer more direct updates (of any kind) regardless of manufacturer or carrier. The problem with Jelly Bean and the rest, is that they cannot unbundle for older devices. Furthermore, if OEMs do not intend on supporting older devices, then what is the point in Google trying to provide the fixes.There is of course, another set of the community who could provide fixes. The developers who find such bugs in the first place. Now, they will be outraged by even the suggestion of this and rightly so. But the point is still there, those who are capable of finding the issues are also capable of fixing the issues. But they are right they shouldn’t have to either.

In fact, this leads to the inevitable answer to the ‘where is my fix’ question. Google shouldn’t have to provide fixes for older devices when it is almost guaranteed that OEMs will not be providing the updated patches anyway. Likewise, OEMs should not have to provide fixes, when Google have made it clear they won’t. In the same manner, developers should not be the ones left to provide a fix, just because the others won’t. In fact, this leads to the ultimate realization of what Android really is. It is an open source system to which no one is ultimately responsible. We all play our part and make it our own, but that is it. If you want to know where your fix is, then rest assured that no one will take responsibility for devices once they reach a certain age. Will this help Jelly Bean (and older) users. No. But the short of it is, no one seems to be willing to help them.