Jellybean upgrade too hard for Choc Factory, but not for YOU Google says it won't patch Android Jellybean because it's too hard. The company revealed earlier this month that it would not fix vulnerabilities found in WebView, the core component used to render web pages on older Android devices. Android engineer lead Adrian Ludwig said it was too hard to squeeze a patch into Webview's …
Extending the life of older devices after a certain point is no longer in Google's interest - it wants to maintain its ecosystem and have some sort of upgrade cycle. Getting the old devices to the point where you cannot install a single update because it barfs with "insufficient space available" is one way of doing that.
I would guess that the fact that updates have to be pushed out by the various telcos and ISPs might have a bit to do with it, as well. If Google ran updates where the devices phoned home (see what I did there?) to Mountain View for updates rather than having to depend the mobile service their respective owners use, it might be a different story. Take Verizon, for example. If you go to its Android FAQ page, most of newer versions have a note to older phone owners that reads like this:
XXX is only available on select Android devices. Some newly released Android devices will ship with XXX preloaded. If your device is running an older Android version, you can regularly check the Advanced Devices Software Updates page to see if the XXX update is available for your device.
Of course, you can keep checking until the cows come home, but you are never going to update. As much as I hate to condone Google's current strategy on this issue, I cannot imagine it would be worth while to put in the effort needed to patch this flaw only to have most of the mobile carriers not bother with it. On the other hand, Google could change the update model to work more like Chrome, but that has its own set of risks.
No it isn't. They've already released fixed code - it's called KitKat.
The hardware OEMs could push out an update to KitKat, which has a lower memory footprint than Jellybean, so should work better on older devices.
They've decided not to do so, so what chance of them pushing out a Jellybean update?
An update based off jelly bean- no driver issues for the older hardware- would be far easier for the manufacturers to deploy than the engineering required for Kitkat (or other) on old hardware. That's why the manufacturers should be the ones demanding support from Google.
This post has been deleted by its author
How many phones running Jellybean do you suppose would be updated by their manufacturers, if Google did release a patch? These would be the same manufacturers who couldn't be bothered to release an OTA update to KitKat for those phones. Don't worry, you won't need to take your shoes off to count them.
So that's ok then is it? We don't think many will push out the update, so we won't bother.
This is a multi-billion pound business, not some back street shop. Heck they can even claim it as a cost to get their massive profits back to zero.
What a shit attitude.
So that's ok then is it? We don't think many will push out the update, so we won't bother.
It's reality. If a manufacturer hasn't released a KitKat update, why do you imagine they will release a Jellybean patch, for an old (to them) phone? They won't.
This may be a shit attitude, but until the manufacturers behave as if they're selling small computers with a complex OS that needs regular patching, and not dumb phones with locked-down firmware, then this fiasco will continue. It's also the reason why Google has been pushing more and more core functionality into Play Services, which it can update independently of the manufacturers - something it's also been criticised for, incidentally, as being evil in "taking control of Android". Hey, ho.
In all fairness it isn't just google. When I wrote to my MP and Phorm (all those years back) The ICO replied and said "...because people were not technically competent to understand the issues, I will not proceed on this matter."
It is a nice 3 page latter summarised with that one sentence.
Naughty Google.
That is the problem with the mobile space.
Apart from Apple, nobody has their act together, when it comes to getting updates and security fixes out - and Apple aren't a shining example, compared to the desktop world.
The problem is, it is all open source and nobody is being held responsible for ensuring that customers are safe - everybody is pointing the finger at somebody else and saying "it's not my problem, it is theirs!" That just doesn't wash. And no, I'm not being anti-open source here, I use a lot of OSS and have contributed to several projects.
Here Google should be forced to issue security fixes for a reasonable amount of time (although maybe the 13 years or so XP got security patches is a bit excessive) and the manufacturers should be obligated to get security fixes out there ASAP. If not, then they should be subject to fines and compensate users for distress and lost information and stolen money.
I can see the argument against some version updates (newer, faster hardware needed), but security isn't a version update, that is keeping your customers safe and building goodwill, that they will come back and buy from you again, when they need a new device.
"Here Google should be forced to issue security fixes for a reasonable amount of time"
Well Microsoft support two previous versions. So for Android that would be 5.0 and 4.4.
Android 4.3---the last incarnation of Jellybean---was released on 24 July 2013, although the first incarnation---4.1---was first released 10 July 2012. So it depends how you measure it. I have to say, three years would be the minimum...
Playing devils advocate here, so bound to get some downvote by those who don't understand what one is, but....
Quote: "Nope that would be ALL 5 & ALL 4"
Why?
MS don't do that for Windows, why would you expect Google to do it for Android? Typically MS requires you to be at a specific Service Pack level on an OS to receive new security patches, usually the last one released for an OS that is still in support. The Android equivalent of the service packs, being the minor releases, x.1 x.2 etc.
Why would Google be expected to patch 4.3 or earlier, when the current (and I would guess last) release of Android 4.n, is 4.4?
If a phone is still on 4.3 or earlier, go grumble at the carrier/vendor/manufacturer.
Granted sometimes you could be hardware limited, but you'd hope a phone would need to be 3+ years old before that became a factor. Minor release 'should' be able to be run on the same hardware.
There aught to be something in law coving these things. i.e Force OS updates for the handsets within a reasonably time (say 90 days), for the life of the contract or a minimum term, whichever is greater (say 3 years min), or the vendor becomes liable for any losses incurred by the phone, for anything related to a vulnerability that was fixed later on.
e.g. If your phone is on 4.3 currently and is a carrier phone (EE etc), and a 4.4 generic image has been release for your phone, just EE haven't done their tweaking yet, then the carrier becomes liable for all losses and personal injury caused by any vulnerability fixed in 4.4 after 90 days of 4.4 coming out. Liability cascading up stream, so if the manufacturer still hasn't release 4.4 after 90 days, it's them rather than the carrier that become liable.
What does a contract have to do with the life time of the phone? Most people I know buy a phone separate from the contract.
As to Microsoft, until the middle of last year, that would have been XP SP3, Vista SP1, W7 SP1, W8, W8.1 and W8.1 Update 1. In Google terms, that would mean covering all versions back to at least Honeycomb.
And they should ensure that the users get the sub-version service packs (E.g. 4.2.2, 4.1.4) if they are only going to support 4.2.2 or 4.1.4 etc.
Not.
I'm not the type to upgrade a phone every year and a half, and I've never lost a phone (I did accidientally drown a Nokia 6210 in Ribena, but there were extenuating circumstances).
So do I want to pay money for something that might be abandoned to the ravages of the internet just because an iteration gets released six months later and they can't be bothered to fix a problem on the older version.
Nope...
...is the real problem here - why did they integrate a Browser as a system component that has pretty much the same functionality than the Chrome app they offer anyway? Chrome gets regular updates, the "Browser" component only when the OS is updated. What's strange as well, is that other system components like "Google Search" are updated regularly. Why not the browser?
WebView pre-dates Chrome on Android by several years. In very recent versions of Android (just Lollipop I think), Chrome has now replaced the WebView component, but this change has not been applied retrospectively.
As you point out, increasing numbers of Android components are being moved out of the core OS and into "Google Play Services" allowing Google to push updates and fixes to older OS versions without involving the carriers, but this is a gradual process over several OS releases.
Which is not to defend Google's actions in this situation, but at least they seem to have identified the underlying problem and are moving to address it (albeit slowly). I'm guessing that some people at Google have been getting something of an education over recent years in the difficulties of supporting a mass market operating system running on diverse hardware supported (or not) via various OEMs.
If they really wanted to address the problem they would have made AOSP modular and updatable by operators and phone manufacturers instead of shoving everything into Play Services and making it closed source.
What Google want to do is take back control of the platform because making Android an open source project has served its purpose.
So when core stuff like Webview was AOSP , updated by Google, but manufacturers didn't bother releasing patches - that was Google's fault for not being able to push updates.
When Google remove core stuff (equivalent to Webview) from AOSP so that they can push updates whether the manufacturer likes it or not, that's Google's fault for taking control of the platform.
The quantum of rational thinking in some of these comments when it comes to Google seems to be very, very small indeed.
The update method should be as open as AOSP otherwise it's just a stick to beat OEMs into line for Play certification and make non-Play certified devices very difficult to maintain (you've basically got to do your own copy of Play Services - only Amazon's really managed it, not even Samsung's been able to).
Microsoft must be sitting there thinking "Five million lines of code, and an out-of-control branching development cycle? Awwww, that's so quaint!"
That's also SO 2003.
Suck it up, and fix your own problems, Google. Don't just foist the risk onto the 3rd party developers. Your mess, your responsibility.
.... as I've only just started looking at Android, but are there not versions available for embedded systems? Surely Goog doesn't expect everyone to upgrade these because they don't want to spend a few days patching their code?
The release cycle for android versions has been as impressive as it has been relentless. While backward compatibility should be broken where required, that doesn't relieve Goog of the requirement to patch retrospectively.
That aside I'm really quite impressed with Android Studio, and the whole setup around AVDs.
You state you are using 4.4.4. Google state they are patching anything after 4.4 so yours should be patched.
If WebKit is present on your phone, you're potentially vulnerable regardless of what browser you use because the code is still present on the phone. I translate the PR guy's statements as, "at 4.4 we replaced WebKit".
The problem isn't so much the browser (or they would just update it in Google play or advise you to use another browser). The problem is that the WebKit rendering engine is used by apps to integrate web content into a regular app. Most commonly, this is how the ad supported apps show those ads, but there are also things like phonegap which lets you wrap an html5 website and deploy it to the various app stores in what appears to the user to be a regular app on their platform.
We are in a state where a dodgy advertisement on a free game is a relatively easy attack vector but Google won't fix it.
Not good enough Google!
(Posted from my Nexus 5 running lollipop)
Lollipop? It must be an iced lolly as it has melted away completely. That's despite my "newer" phone being second on the scheduled listing for update. First and last Motorola I will ever buy. I do not like giving money (sorry, my hard earned money as politicians insist on calling it) to Companies that promise something but do nothing.
I have an older phone running Jelly Bean.
The stock browser is reasonably fast, but Chrome is painfully slower. I'd prefer to use stock, but Google has hopelessly broken it in deploying it as they have.
Gmail used to be fast. Now it's also painful.
I'd really like to move back to Google Voice, as Hangouts suffers these problems as well. I used to be able to use http://voice.google.com to text-message from any browser. The Hangouts upgrade eliminated that capability.
We need "lite" versions of these apps.
I am really beginning to wish that Microsoft would fork Android. I feel like I'm living through Windows 95 again, and maybe a company that has already been through this might not do it quite so badly.
Maybe I should try FirefoxOS.
Great, so I am stuck as I just bought a off-contract Optimus G a few months ago and carrier refuses to provide Kitkat upgrade. Not to mention some of my Asus Tablets are still running ICS and JB. Does Google really expect everyone to buy new device every two years and dump the "old" devices to landfill?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
