Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Android Heartbleed Alert: 150 Million Apps Still Vulnerable

Android developers are starting to patch OpenSSL flaws. Meanwhile, Apple ships an SSL fix for iOS and OS X.

Warning to Android users: No patches are available for 150 million downloaded Android apps that remain vulnerable to the OpenSSL vulnerability known as Heartbleed. That finding comes from the security firm FireEye, which scanned more than 54,000 apps available via Google Play that have been downloaded at least 100,000 times.

The good news, however, is that since the Heartbleed vulnerability came to light on April 7, developers have released patches covering about 70 million previously vulnerable apps, thus taking a big bite out of what had been 220 million unpatchable apps.

That decline reflects Android app developers updating their wares with a patched version of OpenSSL, thus helping safeguard users from the possibility of malicious servers exploiting the bug to steal data from their devices. "We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products," FireEye information security researchers Yulong Zhang, Hui Xue, and Tao Wei wrote in a blog post. "Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes."

How can Android users know which apps are still vulnerable? In general, anyone using a version of Android that isn't 4.1.0 or 4.1.1 won't be vulnerable, at least from an operating system standpoint. But vulnerable apps might still be running on the device, and there's no clear-cut, reliable way to inventory or scan them all.

FireEye, for example, counts 17 Google Play antivirus offerings that claim to detect Heartbleed, but it says that only six scan the OpenSSL library for Android.

Furthermore, apps can tap buggy OpenSSL code in other ways. "Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries," the FireEye researchers said. "Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server, and then send crafted [Heartbeat] messages to the app to steal sensitive memory contents."

One mitigating factor is that the majority of vulnerable apps appear to be games, so if attackers did exploit them, users would stand to lose their OAuth token, at most. However, enterprising attackers could use these tokens to attempt to hijack the game account and any social networks to which it connects, but that's arguably a lot of effort for little return.

But the second-most-prevalent type of vulnerable Android app appears to be office apps, which pose a greater risk when it comes to losing sensitive data. On the upside, FireEye found that, due to coding errors, many apps that contain vulnerable OpenSSL code are protected, oftentimes because developers appeared to accidentally call the OpenSSL library in Android OS, rather than a vulnerable, native library.

Android isn't the only mobile operating system sporting SSL vulnerabilities. On Tuesday, Apple pushed an iOS update -- version 7.1.1 -- that improves Touch ID fingerprint recognition and patches numerous flaws in WebKit, IOKit Kernel, CFNetwork HTTP, and Secure Transport. The flaw patched by Apple would have allowed an attacker who could eavesdrop on communications to subvert SSL.

"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," according to Apple's iOS security advisory. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."

Apple also released an OS X update Tuesday for its 10.7, 10.8, and 10.9 operating systems, patching numerous vulnerabilities, including the same type of Secure Transport flaw that attackers could use to subvert SSL. According to Apple's OS X security advisory, the flaw was fixed in 10.8 and 10.9; it didn't exist in 10.7 or earlier versions of the operating system.

IT is turbocharging BYOD, but mobile security practices lag behind the growing risk. Also in the Mobile Security issue of InformationWeek: These seven factors are shaping the future of identity as we move to a digital world (free registration required).

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NoutellaE803
50%
50%
NoutellaE803,
User Rank: Apprentice
4/26/2014 | 1:11:20 PM
Tetraupload VPN
This is why i'm use a good vpn like TetraUpload VPN  http://tetraupload.com  

I think now internet isn't safe anymore to use my computer without protection :S
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
4/24/2014 | 7:46:49 AM
Re: Heartbleed and Android
There are SSL/Crypto implementations in languages other than C.

OpenSSL was one of the first non-commercial ones, which is why it is so prevalent.

At the time it was written, languages such as Java simply weren't fast enough (they're still slower than a pure C implementation).

The main issue as I see it is OpenSSL using its own memory allocator to manage memory – it stops the standard memory checking tools (and as a C programmer, you *always* use memory checking tools) picking up errors like Heartbleed.

I believe, although I haven't double-checked, if OpenSSL had been using the standard malloc and free, the bug would have been picked up by Valgrind.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/24/2014 | 5:16:54 AM
Re: Heartbleed and Android
Great question. I touched on this last week in my Heartbleed Facts feature, but here's the short answer: 

1) Android OS vulnerabilities: According to Lookout, 86% of users running Android 4.1.1 are vulnerable to Heartbleed (as of last week), while 5% of users running 4.2.2 are affected. Lookout says that suggests that most 4.1.1 distributions are vulnerable, as are some 4.2.2 custom ROMs.

2) Android app vulnerabilities: Irrespective of the version of Android running on a device, any given app may also include an insecure version of OpenSSL. 

Fixing #2 requires developers to replace vulnerable OpenSSL, and many have already done so.

Fixing #1 requires handset manufacturers and carriers to release patches or OS updates. On this front, if past experience is any guide, some will do so shortly, but many won't. (And if they don't, maybe it's time for some class-action lawsuits or tough love from the FTC?)
theb0x
50%
50%
theb0x,
User Rank: Ninja
4/23/2014 | 6:10:46 PM
Heartbleed and Android
I would like to know if these Android devices are shipped from the factory vulnerable with it's either 4.1.1 version or if it's any of the 3rd party apps bundled? Which by the way you can only stop their running services but not uninstall unless rooted.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.