Jellybean upgrade too hard for Choc Factory, but not for YOU

Google says it won't patch Android Jellybean because it's too hard.

The company revealed earlier this month that it would not fix vulnerabilities found in WebView, the core component used to render web pages on older Android devices.

Android engineer lead Adrian Ludwig said it was too hard to squeeze a patch into Webview's WebKit engine which was five million lines of code deep.

"WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely," Ludwig said.

"With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices."

Despite the risks, Google is welcoming patches developed by the community.

Falling Jellybean user numbers is the most positive spin that can be placed on the decision however as nearly a billion devices or 60 percent of the total Android user base were estimated to run on the platform, according to Rapid 7.

Metaspoloit engineer Tod Beardsley discovered Google's unwillingness to patch the Android iteration after he reported a WebView flaw to its security team.

"If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves but do notify partners of the issue ... if patches are provided with the report or put into AOSP we are happy to provide them to partners as well," the Google team reportedly said.

Beardsely said at the time Google should patch WebView given the large number of users on the older platform and not jettison fixes just because it was outdated.

"I empathize with their decision to cut legacy software loose [but] a billion people don't rely on old versions of my software to manage and safeguard the most personal details of their lives," he said.

"In that light, I'm hoping Google reconsiders if [or] when the next privacy-busting vulnerability becomes public knowledge." ®