Heartbleed + Android: A Not-So Love Story
- HEARTBLEED + ANDROID: A NOT-SO LOVE STORY By Lookout, Inc.
- Heartbleed is a software ﬂaw in the OpenSSL “Heartbeat” function, which helps keep secure connections alive. Exploiting the ﬂaw, attackers could pull out 64K of random data living in the active memory of those targeted systems. Read the blog What is Heartbleed?
- What is Reverse Heartbleed? This is where things get concerning for Android users. ! Most people are talking about Heartbleed, where a malicious client steals data from a vulnerable server. But it works in reverse as well. A malicious server could steal data from a vulnerable client, such as your Android phone. ! It goes to show how widespread the issue is and why companies should immediately work to patch their systems and devices.
- What does this mean for your Android? If your device is running on a version of Android that uses an aﬀected version of OpenSSL, your data may be vulnerable. Fortunately, Lookout found that the aﬀected Android versions only make up a small percentage of the overall Android ecosystem. (If you’re wondering about iOS, Apple doesn’t ship its mobile operating system with OpenSSL, so everything is OK)
- 4.0 4.3 4.2.2 2.* 4.4 4.2.1 4.1.2 4.1.1 3.* We predominantly saw vulnerable devices running Android 4.1.1, however, we did spot some using 4.2.2. Google says that only 4.1.1 is vulnerable to Heartbleed, which might indicate that there are custom versions of 4.2.2 ﬂoating around. Most Android versions are not vulnerable to Heartbleed. Android Versions
- MOTOROLA ATRIX HD EVO HTC ONE X HTC ONE S HTC ONE X+ We’ve seen that devices running vulnerable Android versions 4.1.1 and 4.2.2 are mostly the same 10 popular phones and tablets. Most-Frequently Reported Vulnerable Devices
- As new phones come out, older ones are cut oﬀ from new Android updates. It’s possible that these phones fall into that category, leaving users unable update to a newer, safer version of Android. It’s a curse of these phones’ own success: the hardware has lasted so well that the software can’t measure up. HTC ONE X 84% of users vulnerable Not yet patched HTC ONE X+ 100% of users vulnerable Not yet patched EVO 84% of users vulnerable Not yet patched HTC ONE S 82% of users vulnerable Not yet patched HTC DESIRE X 100% of users vulnerable Not yet patched MOTOROLA ATRIX HD 99% of users vulnerable Not yet patched PRISM II 100% of users vulnerable Not yet patched HUAWEI ASCEND Y300 100% of users vulnerable Not yet patched NEXTBOOK 8 100% of users vulnerable Not yet patched ZTE VALET 99% of users vulnerable Not yet patched
- Where is Heartbleed? Just like the Internet reaches people across the globe, so has Heartbleed. We’ve collected data from Android users in nearly 100 countries and found that device vulnerability can happen just about anywhere.
- VULNERABLE ANDROID USERS BY COUNTRY
- Of more than 75,000 Android users in the United States, 3.4% were running OpenSSL versions vulnerable to Heartbleed. Most of our data comes from users in the U.S.
- Let’s talk about you. At this point you’re probably starting to worry about whether your device is vulnerable. We’ve analyzed more than 100,000 users’ operating systems and found that 96% are not vulnerable. Lookout built a free detector app that you can download to see if your Android is aﬀected. Download free from Google Play
- What can I do if my device is vulnerable? If your phone is vulnerable, we suggest you update your OS to the latest version of Android. If you don't have an update available, you unfortunately have to wait for your manufacturer and carrier to issue an update to your device. In some cases, they may never release an update. More questions? Read our FAQ
- Cool, my device is safe. What else do I need to know? Just because your device isn’t vulnerable doesn’t mean all of your apps and services are secure. Wait until you've heard from a company that its systems have been patched. Then you're safe to change your password. More questions? Read our FAQ
- About this report This data has been reported to Lookout by more than 100,000 Heartbleed Detector users.
- For more mobile security tips, follow Lookout
If your device is running on a version of Android that uses an affected version of OpenSSL, your data may be vulnerable. Fortunately, Lookout found that the affected Android…