From the mail bag: Is Android affected by the recent Java security issues?

Russ8611 writes, 

Hello Androidcentral! I was just curious if any of you guys feel like reporting on the Java vulnerability and let us know how it affects Android as a platform. I know most people say they don't need Java on their computers, but isn't Java needed by Android, especially by developers? Thanks!!!

That's a nasty mess, isn't it?

Java means a few different things, depending on how you're talking about it. The Java that's in the news with a heck of an exploit floating around is the Java that you install to your computer as an application  platform. Almost every desktop operating system can run programs built for Java, because Java is a platform that runs inside and on top of your operating system. It sounds a bit confusing, but think of it as a virtual machine that can run code built and compiled a certain way. There's more to the Java platform than the virtual machine, but most people will never need any of it and have no idea that it's even installed.

We install Java on our computers so we can run programs. Some of those programs can originate on the web. Remember, this isn't JavaScript that runs inside the browser, this is code that will start up that virtual machine we talked about earlier. That's where things got sticky over the weekend. The component that runs as a browser plugin was exploited. Since Java is cross-platform, that means Windows, OSX, and Linux distributions could be affected.

But not Android. It's immune to the recent security issues.

Android doesn't use Java in the browser, and the Java-esque software in the OS is different and not affected.  Thankfully, our Android devices are immune. But you bring up a good point about developers. To use most of the Android development tools or to build Android from source, you need the entire Java platform installed on your computer. Most people will be using Oracle's Java, which means most people developing for Android were vulnerable.

I say were vulnerable, because Oracle has patched the exploit as of late Sunday evening. Remember, we don't have to do anything for our Android devices, but anyone using Java should head over to Oracle's Java site and get the updated version. For more information be sure to read Oracle's security alert about the exploit and patch.

Have a question you need answered? (Preferably about Android, but we're flexible.) Hit up our Contact Page to get in touch!

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Good to know
  • Not sure what they're payin you Jerry H... but it's not enough...
    Love the credibility and sheer genius you offer to this site
  • Sent by Jerry's "other" account. :)
  • lol
  • I have been java free since I think October. I've not run into any problems not having it.
  • Then you obviously don't have any programs that need it to run. Your usage doesn't mean anything for those of us that do need to run it. -Suntan
  • For those of us who don't know (non-techies) - "Java" is the problem. "JavaScript" is not. Android can enable JavaScript and that is not covered in the warnings. Android does not use "Java" proper. Android has nothing to worry about, and if you have not downloaded "Java" to your computer, you're cool there too. You can leave the JavaScript "On" and you'll be fine. Java- The animation, interactive features, timers, and other enhancements on webpages are sometimes provided by a software program known as Java. -BAD- JavaScript-JavaScript is a software technology that allows some buttons, online forms, and other webpage content to work properly. Disabling JavaScript can cause many sites not to work properly. -GOOD- Disable/Uninstall Java
    Leave JavaScript alone
  • I think disabling is the better option if you are worried about this vulnerability. I still see a lot of websites using Java. For instance, when you book tickets to movies, flights or sporting events, a lot of those seat selection tools are written in Java.
  • Stated above: "Almost every desktop operating system can run programs built for Java, because Java is a platform that runs inside and on top of your operating system. It sounds a bit confusing, but think of it" - now what follows should make the previous sentence easier to understand, but the following sentence would have everyone except a techie scratching their head -> "as a virtual machine that can run code built and complied a certain way." That should be "compiled," no?
  • Good info. As to Java on PC's, if you don't need it at a minimum disable it in your browser. But better yet uninstall it! It's one less attack surface the bad guys can exploit (part of a defense in depth security approach). :)
  • Does Chrome OS use JAVA?
    I only ask because this exploit seems to be browser based and it was stated in the post that Android isn't affected. But, Chrome OS isn't Android.
  • No, Chrome OS does not run Java.
  • The alert indicates that the java platform itself is also not vulnerable. It says: " These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications." So for example, if you were running the eclipse IDE, you would not be affected by this vulnerability. This vulnerability is isolated to the java plugin running within most browsers today. This plugin should be disabled on your PC's browsers, until you get the fix. This vulnerability could manifests itself, for example, as a java applet embedded in a web page's content. If you go to that malicious web site with your PC's browser, you could be at risk. As the author points out, since the stock browser within android does not have this plugin, android is not vulnerable.
  • Jerry! Your very knowledgeable!
  • Jerry I enjoy reading your articles. They are intelligent, witty and you don't take a sides (most of the time). You remind me of my childhood friends dad who worked at Intel. This guy could deliver a 4 hour talk on how the Bios worked when all you asked for was what does Bios stand for (Basic Input-Output System). Anyways keep up the awesome work.
  • This is one of the reason's I stay away from Android, I have a Windows Phone and I love it. Java has a history of unreliable.
  • So, obviously you didn't read the article.
  • Read the article?
    He doesn't even have time to finish his sentences..
  • I'm sorry ... did you say you don't use Android b/c of Java's potential security flaws. But you use WINDOWS instead? Hello Pot, I see you met Kettle!
  • Someone's lost. They're missing you at the "I hate Google" rally over at Windows Phone Central lol
  • If the Android browser doesn't use Java, then can someone please explain why Chrome for Android has a Content Setting "Enable JavaScript?"
  • To add to the confusion, JavaScript and Java are two different things..
  • Lol are u serious?
  • I absolutely was serious- and thanks for NOT answering a question. Without your help, I found out that the issue is "Java" not "Javascript." Those of us who are not computer nerds (read- 99% of the population) wouldn't know that. I realized that I don't even have Java installed on my computer.
  • Before you go getting all surly calling people names ("computer nerds") the answer to Java vs. Javascript was included in the article. Read before posting and avoid future 'Are you serious' comments.
  • Exactly! Not sure what it is, but I've been seeing more and more people fail at basic reading comprehension (online and at work). :(
  • Here's an update to the Java/Oracle/HS issue: Java Open JDK:
  • How can I get abode flash player for my android phone