[LINK] The Heartbleed Bug in OpenSSL

Scott Howard scott at doc.net.au
Wed Apr 16 10:45:18 AEST 2014


In general, most apps on Android are not going to be impacted, even if they
are (technically) vulnerable.

In order for Heartbleed to be abused on a client device like an Android
device, an App on the device will need to connect to a malicious server -
one that has been specifically setup to abuse the vulnerability.  Even
then, the only impact is that the website can steal data from that one
specific app, not from the device in general.

Most apps either never connect to a web server, or only connect to a
specific website run by the apps developers or similar.  Given that you're
already trusting the app itself, it's an obvious step to say that the
website it's connecting to is also trustworthy (or at least, as much as the
app is), so the additional risk here is basically zero.

Things are a little different for apps that connect to multiple,
non-hardcoded sites.  eg, a web browser.  If you were to connect to a
compromised site (either directly, or via a link/image/etc on another site)
then you could potentially be exploited.  Again, the only risk is that the
site could steal data from the memory of your web browser, NOT from other
apps.  eg, if you'd just logged into your internet banking using your web
browser, then it's possible that the credentials could be snagged, however
if you had just logged into your internet banking APP (and presuming that
app was a true app and not just a wrapper to the web browser) then your
credentials could NOT be stolen.

So yes, it's a concern, but probably not as big a one as the press is going
to be making out over the next few days as they move their attention from
servers to clients.  And remember, it's Android 4.1.1 only, not the far
more common 4.1.2 which despite running the affected version of OpenSSL has
the heartbeat code disabled (most likely as a potential battery performance
improvement).

  Scott



On Tue, Apr 15, 2014 at 5:18 PM, Jan Whitaker <jwhit at internode.on.net>wrote:

> At 01:34 AM 10/04/2014, Rick Welykochy wrote:
>
> >The Heartbleed Bug has been plaguing Apache and nginx web servers
> >for a couple of years.
>
> Just did a bit of research on this re the trickle out of more info
> about the bug: affecting Android devices. Turns out the largest user
> base, Jellybean 4.1.1 is affected and still no patch.
>
> http://www.androidtablets.net/forum/android-tablet-news-depot/66538-heartboned-why-google-needs-reclaim-android-updates.html
>
> This happens to be the version installed on the inexpensive tablets
> from Aldi (I bought one late last year). Plus the Google staff are
> only saying they will advise their Android partners. All well and
> good, but how will those partners advise their end customers, like me?
>
> http://googleonlinesecurity.blogspot.com.au/2014/04/google-services-updated-to-address.html
>
> I have changed some passwords on critical accounts, like gmail which
> I hardly ever use, but is my Google overall password because of their
> integration approach, and Amazon. But if the os is buggy, doesn't
> seem like that's worth much now/yet/
>
> I've never had to update an Android system before, so have no idea
> how that happens. Apps seem to take care of themselves automatically,
> but Android???
>
> Any further advice? I can't seem to find what I'm looking for on this
> beyond the above. (whirlpool doesn't address it yet, for example)
>
> Jan
>
>
>
> Melbourne, Victoria, Australia
> jwhit at janwhitaker.com
>
> Sooner or later, I hate to break it to you, you're gonna die, so how
> do you fill in the space between here and there? It's yours. Seize your
> space.
> ~Margaret Atwood, writer
>
> _ __________________ _
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>



More information about the Link mailing list