The same criticism has also been aimed at Apple, which does not explicitly spell out how long it supports each version of OS X or iOS.
Although iOS has no written end-of-life policy and Apple rarely patches older versions of iOS -- it instead tells customers to upgrade -- the company does generally support several generations of devices with its latest edition of iOS. The difference between Apple and Google, however, is stark when it comes to upgrades and updates, as the former provides them directly to customers, while Google does not. Google's approach results in a larger percentage of devices running older OSes than does Apple's.
Almost as important to Beardsley was that Google has not applied the same policy to all parts of Jelly Bean. "This isn't the end of life for all of Android [version 4.3, or Jelly Bean]," Beardsley said. When he posed a hypothetical to the Android security response team about whether it would patch a vulnerability in Jelly Bean's audio player, for example, Beardsley was told that Google would fix the flaw. "This uneven treatment of different components will be confusing," he predicted.
Adding to the uncertainty was the possibility that some devices makers or carriers may patch a specific WebView bug in their interpretation of Android, while others would not. Google said that although it would not fix such vulnerabilities itself, it would accept patches from others, including device manufacturers, carriers and even security researchers.
Beardsley said that it wasn't unknown for researchers to provide patches for flaws they discovered and reported.
In the blog post, Beardsley asked Google to reconsider its apparent no-patch policy for WebView in Jelly Bean and older. "Google's engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning," he wrote. "I'm hoping Google reconsiders."
Currently, Rapid7's Metasploit penetration testing framework includes several exploit modules that rely on unpatched WebView vulnerabilities in Jelly Bean, Beardsley confirmed.
Sign up for Computerworld eNewsletters.