
Google Isn’t Fixing Some Old Android Bugs - anorborg
http://blogs.wsj.com/digits/2015/01/12/google-not-fixing-some-old-android-bugs/
======
ufmace
As I remember it, most of these critical bugs are in the Android browser,
which is considered a core part of the OS in those versions. The trouble with
that is there's no way to update it without doing all the work of a whole OS
update, including the usual mess of getting approval and merging changes from
device manufacturers and local carriers.

It seems more understandable that way that Google told them to just upgrade to
a newer Android version instead.

~~~
outside1234
Maybe we should give them a 90 day deadline to fix them.

~~~
ufmace
Enforced how, on who, by whom? Google can say "They're fixed already, just
upgrade to Android 5.0.1". Manufacturers and Carriers can say "Meh, we're
still testing it". Enforcing such a rule requires holding a particular party
responsible, and that party must have some authority to hold other involved
parties responsible for doing their parts.

Probably the best thing that could be done overall is Google's already-
complete plan to move the web browser, and as much other code as they can, to
Play store apps that they can centrally auto-update. But getting that solution
onto the vulnerable phones required them to, once again, just upgrade to the
newest Android.

~~~
slacka
Agreed, placing all the blame on Google is not fair. Besides Google, carriers,
and manufactures, there's one more party involved that no one seems to talk
about, users. Google only promises to update their software for 18 months. If
you're going to milk years and years out of your smartphone, don't you have
some responsibly to update outdated apps with updated ones from the Google
Play store?

I have an old Galaxy S3 that Samsung no longer updates, yet these bugs don't
effect me because I've replaced the built in browser with Chrome, which still
receives regular security updates. What's stopping users of old phones from
installing Chrome or Firefox?

~~~
ufmace
Some truth to that, but replacing your web browser doesn't actually fix the
bug entirely. The problem is that the WebView elements inside applications
still use the vulnerable Android Browser to display content. You can't change
that behavior or update the Android Browser without an OTA update of the whole
OS.

~~~
slacka
True, but you have to download the malicious app from the app store. Here
Google has a good track record of removing them from their store. Also, the
user can exercise some common sense by not installing apps from untrusted
sources. If the users does not pay attention to the app's permissions, any app
could be harmful without needing a browser exploit.

------
Karunamon
_That covers roughly two-thirds of the billion-plus Android devices in use,
according to Google_

Wow. How is this even remotely acceptable? I get that they want to focus on
the latest and greatest, but leaving 2/3 of your users out in the cold, in
2015's security climate is absolutely _insane_!

Nevermind the fact that upgrading is a non starter for most users.

~~~
AshleysBrain
You could argue Google have already fixed the bugs - in Android 4.4 and newer
- and that it's the carrier and manufacturer's responsibility to issue those
updates. In many cases even if Google issues a patch, carriers and
manufacturers don't bother to issue an update for their own devices. So is
Google really entirely to blame here?

~~~
ska
It's a bit of a strange relationship:

The manufacturers can't insist that google support older versions with proper
patch releases for bugs like this, because they aren't paying for it.

On the other hand, google really can't expect to drive the manufacturers test
& release cycles. I expect that even a minor release is an expensive testing
effort on their part, so they are understandably reluctant to do this off
cycle.

I think this is the point of some of google's recent changes, but it's unclear
how well that will work in practice.

------
Zigurd
Chrome is available for Android 4.0+ which amounts to 85%+ of Android devices
in the installed base, according to
[https://developer.android.com/about/dashboards/index.html](https://developer.android.com/about/dashboards/index.html)

It's a non-issue, as with other bugs Google recently closed as NTBF.

~~~
aroberge
These stats are based on people visiting the Google Play store. They are
almost meaningless.

I have an Android phone that works perfectly well and is paid for; I don't
have money to burn to buy a new phone. I got it after I bought a Windows 7
computer - which will likely be updated for many years to come. When purchsed,
the phone cost almost as much as my computer did. However ... the phone is
running version 2.3.3 and can not be upgraded (and has not been updated for a
few years now). And most new apps do not support this Android version (and
have not for a few years now) so I have given up on visiting the Google Play
store. My wife has an identical phone and has not bothered either trying to
get new apps for a few years now.

It's a "non-issue" only because Google (which I generally support) has a
shitty policy when it comes to supporting old versions of their products.

~~~
Zigurd
Statistics based on visits to the Google Play store are certainly not
meaningless. If you have a Kindle device you don't have this problem. Or, if
you have a phone in China that's AOSP-based but using a Chinese portal's
ecosystem you are probably running their browser.

That leaves you among the small percentage who are in the Google ecosystem,
but running an old version of Android. perhaps it was Google fault for OK'ing
Google logo devices with trailing-edge OS versions when you bought your phone.
But they've fixed that now with Android One and the inexpensive Moto phone.

And, on top of that, if you really want a newer version of Android without
buying a new phone, there's a decent chance that CyanogenMod or other
aftermarket releases support your device. Google has never stopped anyone from
"bootlegging" the Google ecosystem into such configurations.

------
jaxbot
Reminds me of the Android File Transfer bug that disables MacBook
keyboard/trackpad if the phone is locked. It was recently marked as
"obsolete", despite all Android documentation (and even software on the phone)
suggests the user use it, and the bug still exists on Lollipop:

[https://code.google.com/p/android/issues/detail?id=39548](https://code.google.com/p/android/issues/detail?id=39548)

I don't really understand how this has slipped through the cracks; Google has
a decent number of MacBooks in their offices last time I was there, so maybe
copying files just isn't popular? Either way, it's a pain that the tool is
closed source and the maintainer won't maintain it.

~~~
lnanek2
I've found Android File Transfer rarely even works for me nowadays. I ended up
paying for a third party app called SyncMate, but it works flawlessly and even
restores the ability to mount the phone and have everything just work easily
instead of the broken media transfer protocol Google is trying to force on
everyone.

------
anorborg
I think the eventual solution will be a software subscription fee that ends up
going to the carriers. They are motivated to get people to upgrade their
phones right now, and unless they are legally obligated or financially
compensated, I doubt they will change their practices to enable people keeping
their phones.

~~~
jpollock
There used to be hardware rental and line maintenance charges in fixed line
phone networks. There still are in cable networks. It's just another source of
revenue, and it doesn't encourage software updates.

