Millions of Android smartphones and tablets are at risk of being attacked via the Heartbleed bug (also known as CVE-2014-0160), more than a week after the security vulnerability was first made public.
Last week, Google announced that it was updating some of its services in response to the serious security hole.
But at the same time the company noted that that when it came to the Android operating system, only one particular version of the software was at risk: Version 4.1.1 of Jellybean.
All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).
The risk is that vulnerable devices might be at risk from what is known as the “Reverse Heartbleed” attack, where a malicious web server could exploit the flaw to steal data from an Android smartphone’s browser, including private information.
So, the obvious question you should be considering is, are you running Jellybean 4.1.1 on your Android devices?
Here’s how you can check:
- Enter System settings
- Scroll the screen down to About
- Look for your Android version number
Alternatively, for a more thorough test, those nice folks at mobile security firm Lookout have published a free app which will niftily tell you if your version of Android is at risk.
“Heartbleed Detector” does that by determining if a vulnerable version of OpenSSL is installed, and whether your device is at risk because of the bug.
If either of these methods tell you that your Android smartphone or tablet might be at risk, an operating system update is strongly recommended – so go to System Updates.
And there’s your next problem. You might find that a system update is nowhere to be found.
As I’ve discussed before, Android devices can be something of a nightmare because of the difficulty involved in getting security updates.
Even if you *want* to upgrade the OS on your Android devices you might not be able to, because an Android update is only going to be available for those devices with the assistance and goodwill of the manufacturer and mobile phone carrier.
And often, history has shown us, older Android devices are the left in the lurch and not given an easy path for OS updates.
As The Guardian explains, 50 million Android devices might be at risk from this particular vulnerability as a result.
It’s pretty shameful if manufacturers and mobile phone carriers fail to push out updates for Android 4.1.1, as the operating system was only released back in July 2012.
- Heartbleed claims British mums and Canadian tax payers as victims
- Heartbleed bug *can* expose private SSL keys
- The NSA knew about Heartbleed bug for two years, claims report
- Heartbleed bug explained by xkcd in a way anyone can understand
- In the wake of Heartbleed, watch out for phishing attacks disguised as password reset emails
- Here’s some really bad Heartbleed bug advice about changing your passwords
- Heartbleed OpenSSL bug: An FAQ for Mac, iPhone and iPad users
- Did the Heartbleed bug leak your Yahoo password?
- The Heartbleed bug: serious vulnerability found in OpenSSL cryptographic software library
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.