BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Android 4.1.1 Vulnerable to Reverse Heartbleed

by Sergio De Simone on Apr 15, 2014 |

Google announced last week that Android 4.1.1 is susceptible to the Heartbleed OpenSSL bug. While Android 4.1.1 is, according to Google, the only Android version vulnerable to Heartbleed, it remains in use in millions of smartphones and tablets.

Google stated that less than 10 percent of active devices use Android 4.1.1, but official Google statistics only show the aggregated figure for Android 4.1.x, which is about 34 percent. According to Charles Arthur, reporting for The Guardian, the number of affected devices could be 50m, 4m in US alone. The figure is calculated based on data provided by the analytics firm Chitika, showing Android 4.1.1 users generated 19% of total North American Android 4.1 traffic.

The issue on Android could be more extended than that, though. Indeed, Marc Rogers, principal security researcher at Lookout Mobile, a provider of antimalware software for Android phones, said to Ars Technica that some customized versions of Android 4.2.2 have also been found to be susceptible and that other releases may contain the critical Heartbleed flaw as well.

Google has already patched Android 4.1.1 and distributed patching information to Android partners, according to its official statement. It remains to be seen, though, how the patch is effectively deployed, since Android software updates are controlled by carriers and handset manufacturers, not Google. Furthermore, carriers have previously failed to provide consumers with available security updates, as Ars Technica reported a while back.

The attention around Heartbleed has initially focused on the most direct scenario: a malicious client attacking an HTTPS server to steal cookies, private keys, and other secrets. Unfortunately, as security firm Meldium says, TLS heartbeats are symmetric, so they can be exploited on whichever connection endpoint, either the client or the server. Thus, a malicious server can send bad heartbeat packets to an unpatched client and potentially extract sensitive data from it.

According to Meldium, reverse Heartbleed is harder to exploit, since clients that use certificate pinning can quickly close the connection once they realize the server certificate does not match and server-initiated heartbeat requests require that a connection has been successfully established. Nevertheless, Meldium has proven that vulnerable clients can actually be made to send hundreds of 16kb chunks of memory back, if the server uses a few tricks to keep the connection open as long as possible.

Apple's iOS appears to be unaffected since Apple has never provided OpenSSL has part of iOS. Microsoft said that Windows'  implementation of SSL/TLS is also not impacted. We've approached Microsoft for clarification with regards Windows Phone but haven't heard anything at the time of publication. We will update the post if we hear back from them.

 

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT