Vulnerabilities / Threats
4/23/2014
02:12 PM
50%
50%

Android Heartbleed Alert: 150 Million Apps Still Vulnerable

Android developers are starting to patch OpenSSL flaws. Meanwhile, Apple ships an SSL fix for iOS and OS X.

Warning to Android users: No patches are available for 150 million downloaded Android apps that remain vulnerable to the OpenSSL vulnerability known as Heartbleed. That finding comes from the security firm FireEye, which scanned more than 54,000 apps available via Google Play that have been downloaded at least 100,000 times.

The good news, however, is that since the Heartbleed vulnerability came to light on April 7, developers have released patches covering about 70 million previously vulnerable apps, thus taking a big bite out of what had been 220 million unpatchable apps.

That decline reflects Android app developers updating their wares with a patched version of OpenSSL, thus helping safeguard users from the possibility of malicious servers exploiting the bug to steal data from their devices. "We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products," FireEye information security researchers Yulong Zhang, Hui Xue, and Tao Wei wrote in a blog post. "Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes."

How can Android users know which apps are still vulnerable? In general, anyone using a version of Android that isn't 4.1.0 or 4.1.1 won't be vulnerable, at least from an operating system standpoint. But vulnerable apps might still be running on the device, and there's no clear-cut, reliable way to inventory or scan them all.

FireEye, for example, counts 17 Google Play antivirus offerings that claim to detect Heartbleed, but it says that only six scan the OpenSSL library for Android.

Furthermore, apps can tap buggy OpenSSL code in other ways. "Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries," the FireEye researchers said. "Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server, and then send crafted [Heartbeat] messages to the app to steal sensitive memory contents."

One mitigating factor is that the majority of vulnerable apps appear to be games, so if attackers did exploit them, users would stand to lose their OAuth token, at most. However, enterprising attackers could use these tokens to attempt to hijack the game account and any social networks to which it connects, but that's arguably a lot of effort for little return.

But the second-most-prevalent type of vulnerable Android app appears to be office apps, which pose a greater risk when it comes to losing sensitive data. On the upside, FireEye found that, due to coding errors, many apps that contain vulnerable OpenSSL code are protected, oftentimes because developers appeared to accidentally call the OpenSSL library in Android OS, rather than a vulnerable, native library.

Android isn't the only mobile operating system sporting SSL vulnerabilities. On Tuesday, Apple pushed an iOS update -- version 7.1.1 -- that improves Touch ID fingerprint recognition and patches numerous flaws in WebKit, IOKit Kernel, CFNetwork HTTP, and Secure Transport. The flaw patched by Apple would have allowed an attacker who could eavesdrop on communications to subvert SSL.

"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," according to Apple's iOS security advisory. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."

Apple also released an OS X update Tuesday for its 10.7, 10.8, and 10.9 operating systems, patching numerous vulnerabilities, including the same type of Secure Transport flaw that attackers could use to subvert SSL. According to Apple's OS X security advisory, the flaw was fixed in 10.8 and 10.9; it didn't exist in 10.7 or earlier versions of the operating system.

IT is turbocharging BYOD, but mobile security practices lag behind the growing risk. Also in the Mobile Security issue of InformationWeek: These seven factors are shaping the future of identity as we move to a digital world (free registration required).

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NoutellaE803
50%
50%
NoutellaE803,
User Rank: Apprentice
4/26/2014 | 1:11:20 PM
Tetraupload VPN
This is why i'm use a good vpn like TetraUpload VPN  http://tetraupload.com  

I think now internet isn't safe anymore to use my computer without protection :S
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
4/24/2014 | 7:46:49 AM
Re: Heartbleed and Android
There are SSL/Crypto implementations in languages other than C.

OpenSSL was one of the first non-commercial ones, which is why it is so prevalent.

At the time it was written, languages such as Java simply weren't fast enough (they're still slower than a pure C implementation).

The main issue as I see it is OpenSSL using its own memory allocator to manage memory – it stops the standard memory checking tools (and as a C programmer, you *always* use memory checking tools) picking up errors like Heartbleed.

I believe, although I haven't double-checked, if OpenSSL had been using the standard malloc and free, the bug would have been picked up by Valgrind.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/24/2014 | 5:16:54 AM
Re: Heartbleed and Android
Great question. I touched on this last week in my Heartbleed Facts feature, but here's the short answer: 

1) Android OS vulnerabilities: According to Lookout, 86% of users running Android 4.1.1 are vulnerable to Heartbleed (as of last week), while 5% of users running 4.2.2 are affected. Lookout says that suggests that most 4.1.1 distributions are vulnerable, as are some 4.2.2 custom ROMs.

2) Android app vulnerabilities: Irrespective of the version of Android running on a device, any given app may also include an insecure version of OpenSSL. 

Fixing #2 requires developers to replace vulnerable OpenSSL, and many have already done so.

Fixing #1 requires handset manufacturers and carriers to release patches or OS updates. On this front, if past experience is any guide, some will do so shortly, but many won't. (And if they don't, maybe it's time for some class-action lawsuits or tough love from the FTC?)
theb0x
50%
50%
theb0x,
User Rank: Moderator
4/23/2014 | 6:10:46 PM
Heartbleed and Android
I would like to know if these Android devices are shipped from the factory vulnerable with it's either 4.1.1 version or if it's any of the 3rd party apps bundled? Which by the way you can only stop their running services but not uninstall unless rooted.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?