Google's Android team has advised outside security researchers that it will no longer fix security bugs found in Jelly Bean or earlier releases, despite the fact that "pre-KitKat 4.4" software powers the majority of active users' devices currently accessing Google Play. Meanwhile, less than 0.1 percent of Android users have received Android 5.0, and those who have report an "unfinished/unpolished" experience.
Google's latest figures for Android version distributions show that only 39.1 percent of active users have Android 4.4 KitKat, which was first released shortly after iOS 7 in late 2013. Google's latest release, Android 5.0 Lollipop, has not even reached 0.1 percent of the Google Play active installed base (which does not include Amazon or other non-Google Android devices in markets including China).
In contrast, Apple now has 68 percent of its users on iOS 8, while 29 percent are still using the year old iOS 7. Only 4 percent are using an earlier release. However, Apple has continued to patch iOS 6 for older devices, releasing its latest 6.1.6 update for 2009's iPhone 3GS last February, addressing the "goto fail" flaw.
Google has now announced that it won't patch newly discovered flaws in Android pre-KitKat, including WebView (the equivalent of iOS' Safari WebKit), news passed along by security group Rapid7.
There are plenty of Android WebView bugs in need of patching; security researchers Rafay Baloch and Joe Vennix, among other contributors to the Metasplot vulnerability exploit tool, have identified at at least 11 active exploits targeting Android's WebView in Jelly Bean and earlier.
Android's big oops won't get fixed
Android WebView has an abysmal security record, which is significant because it is used throughout the system. One of its major flaws is that it incorporated hardwired support for Adobe Flash, which Google originally touted as a feature for Android before admitting that the proprietary middleware was effectively impossible to support and secure on a mobile device, just as Steve Jobs had stated back in 2008 and again in 2010.
Google eventually abandoned its efforts to make Flash work on Android, but retained insecure code that enabled other exploits to take advantage of Android's cozy relationship with Flash up to and including Jelly Bean.
For example, Android's buggy WebView enabled Fake ID, a vulnerability discovered by BlueBox Security last summer, to gain system wide access to users' data by pretending to be Flash, escaping the sandbox and digging within apps such as Salesforce and Microsoft OneDrive to grab data from the apps, sniff out the apps' network traffic and gain any additional privileges held by those apps.
WebView is used to render webpages in the system browser and within apps that bundle it. In 4.4 KitKat, Google switched to a new web rendering engine based on Chromium, stripping out the last remains of Flash. Google's policy to abandon support for pre-Chromium users therefore leaves most Android users vulnerable to a wide range of known exploits.
Google's Android installed base is the opposite of Apples', with most users (46 percent) stuck on on "Jelly Bean" (the equivalent of iOS 6 or earlier), another 39 percent on its iOS 7-era KitKat, and virtually none on the latest "Lollipop" update (as new as iOS 8). Another 6.7 percent are still using Android 4.0, and 8.2 percent (of Google Play's active users) still use an ancient version of Android 2.x dating from 2010-2011 (as old as iOS 3-5).
Rather than getting better, Android's update problem appears to be as bad or even worse than it was in 2011
Android updates have always lagged behind, in part because most users have to wait for Google's software to trickle through layers of testing and tweaking by manufacturers and carriers before they can install an update.
Rather than getting better, Android's update problem appears to be as bad or even worse than it was in 2011, when Android was barely three years old and the issue of Google's inability to issue prompt updates began floating as a real issue.
One issue contributing to the lag in Google's updates is the fact that most Android devices sold are barely equipped to run new software. Facebook recently noted that 66 percent of the Android devices using its software have hardware specifications comparable to (or worse than) an iPhone 4 from 2011.
Even users of Google's own Nexus-branded products are likely to not get updates after only a year and a half. For example, Google never made last year's KitKat available to users of its Samsung-built Galaxy Nexus (a phone released alongside iPhone 4S in late 2011).
Android 5.0 Lollipop hard to find, full of bugs
Currently, even users of Google's Nexus 7 tablet (currently still on sale) report that they still haven't received an update for Android 5.0 Lollipop, despite the device being prominently depicted by Google as being able to run the new software when it was first introduced last summer.
Commenting on the Forbes article "Why is Nobody using Android 5.0 Lollipop?" reader Paul Armstrong wrote, "I called Google about my Nexus 7 2013 not receiving the OTA [over the air] update and I was told by the CSR that Google is still rolling out the 5.0 OTA update to Nexus devices.
"I was told the order was based on place of purchase and since I didn't purchase from Google directly I would have to wait longer. I was told they have no ETA on when the roll out would be complete and no estimate and when I might receive an OTA update. I then asked if there was any other method of getting 5.0 on my Nexus 7 and was told no. I was told my only option was to wait (isn't there a download update too???)
"So here's your two reason[s] why Android 5.0 has such a small market share: 1) Google is not rolling it out to their own devices; 2) Carriers have not yet (for the most part) rolled it out to the majority of customer devices."
Nexus users who have received Android 5.0 note that Google is suffering through significant software release bugs, just as Apple has with iOS 8. Reader "LazyHazy" wrote, "I've been using Android Lollipop since November when my Nexus 4 received the update, and have since had a 5.0.1 update.
"I agree with 'Joe pasta', however, that Lollipop is somewhat unfinished/unpolished and Google are ironing out the bugs before releasing it to the entire market. The Nexus users serve somewhat as 'crash test dummies' before everyone else receives the latest Android update; except Nexus 7 users, as Lollipop currently brings this device to its knees, hence why the OTA updates stopped.
"I didn't realise that us Nexus users make up less than 0.1% of the market; I'm feeling quite privileged now... despite the teething problems."
Android fan site GottaBeMobile noted that, although apparently limited to users of Nexus devices, the Android 5.0.1 update has users "complaining about the inability to connect to wireless at work, screen rotation issues on the Nexus 7, various issues with Wi-Fi after installing Android 5.0.1, Android 5.0.1 installation issues, problems with Google's 'OK Google' function, even more Wi-Fi problems, issues with sound after upgrading, Bluetooth issues, problems with the home button, and we've also heard that some people have seen the notification, only to see it disappear. This just scrapes the surface and as time goes on, we'll almost certainly see more complaints from Android 5.0.1 users."
Back in November, the BBC profiled Android 5 issues reported by Nexus early adopters, citing users who said the update made their devices "unusable," including Kristen Sawyer, who reported that "some apps won't work and some crash. I wish I didn't install the update."
Another stated "Chrome is dead, unusable, Firefox just about works, the keyboard takes over a minute to load, nearly works if you hunt and peck but dies if you try to swipe."
Android 5.0 Lollipop is so "shockingly bad it is basically unusable"
Nexus user Gary Looker said the Android 5 update is so "shockingly bad it is basically unusable, lags just rotating the screen, every task takes 10 seconds to perform if it does it [at all].
"I've turned off Google Now, changed transitions to zero and limited it to two background apps maximum like the good people here suggested. I shouldn't have to do that, and many people won't know where to turn or who to listen to."