Originally posted on Gigaom:
Security researchers are up in arms this morning over Google's decision to stop patching a core Android component on older devices.
According to Tod Beardlsey, an engineer at security firm Rapid7, versions of Android WebView, a key component of the Android browser that apps use to render webpages, are insecure. (Rapid7's Metaspoit product catalogs 11 vulnerabilities in Android WebView.) Making things worse, Google has apparently stopped patching the component for older phones - and if you report a vulnerability, Google won't listen unless you provide a patch yourself.
Beardlsey says that Android's massive deployment means that "any new bug discovered in 'legacy' Android is going to last as a mass-market exploit vector for a long, long time." It's as if Microsoft stopped patching Windows XP and Internet Explorer in 2007.
The affected version of Android WebView was ditched in Android 4.4 for a more modern version. The only phones affected are running...
