Google defends policy that leaves most Android devices unpatched

Google on Friday defended its decision to stop patching WebView, a core component of Android, on versions older than 4.4, aka “KitKat,” saying that the huge code base is unsafe to fix.

“Until recently, we have also provided backports for the version of WebKit that is used by WebView on Android 4.3 and earlier,” wrote Adrian Ludwig, Android lead security engineer on Google+. “But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two-plus-year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.”

To read this article in full or to leave a comment, please click here