Vulnerabilities / Threats
4/23/2014
02:12 PM
Connect Directly
RSS
E-Mail
50%
50%

Android Heartbleed Alert: 150 Million Apps Still Vulnerable

Android developers are starting to patch OpenSSL flaws. Meanwhile, Apple ships an SSL fix for iOS and OS X.

Warning to Android users: No patches are available for 150 million downloaded Android apps that remain vulnerable to the OpenSSL vulnerability known as Heartbleed. That finding comes from the security firm FireEye, which scanned more than 54,000 apps available via Google Play that have been downloaded at least 100,000 times.

The good news, however, is that since the Heartbleed vulnerability came to light on April 7, developers have released patches covering about 70 million previously vulnerable apps, thus taking a big bite out of what had been 220 million unpatchable apps.

That decline reflects Android app developers updating their wares with a patched version of OpenSSL, thus helping safeguard users from the possibility of malicious servers exploiting the bug to steal data from their devices. "We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products," FireEye information security researchers Yulong Zhang, Hui Xue, and Tao Wei wrote in a blog post. "Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes."

How can Android users know which apps are still vulnerable? In general, anyone using a version of Android that isn't 4.1.0 or 4.1.1 won't be vulnerable, at least from an operating system standpoint. But vulnerable apps might still be running on the device, and there's no clear-cut, reliable way to inventory or scan them all.

FireEye, for example, counts 17 Google Play antivirus offerings that claim to detect Heartbleed, but it says that only six scan the OpenSSL library for Android.

Furthermore, apps can tap buggy OpenSSL code in other ways. "Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries," the FireEye researchers said. "Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server, and then send crafted [Heartbeat] messages to the app to steal sensitive memory contents."

One mitigating factor is that the majority of vulnerable apps appear to be games, so if attackers did exploit them, users would stand to lose their OAuth token, at most. However, enterprising attackers could use these tokens to attempt to hijack the game account and any social networks to which it connects, but that's arguably a lot of effort for little return.

But the second-most-prevalent type of vulnerable Android app appears to be office apps, which pose a greater risk when it comes to losing sensitive data. On the upside, FireEye found that, due to coding errors, many apps that contain vulnerable OpenSSL code are protected, oftentimes because developers appeared to accidentally call the OpenSSL library in Android OS, rather than a vulnerable, native library.

Android isn't the only mobile operating system sporting SSL vulnerabilities. On Tuesday, Apple pushed an iOS update -- version 7.1.1 -- that improves Touch ID fingerprint recognition and patches numerous flaws in WebKit, IOKit Kernel, CFNetwork HTTP, and Secure Transport. The flaw patched by Apple would have allowed an attacker who could eavesdrop on communications to subvert SSL.

"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," according to Apple's iOS security advisory. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."

Apple also released an OS X update Tuesday for its 10.7, 10.8, and 10.9 operating systems, patching numerous vulnerabilities, including the same type of Secure Transport flaw that attackers could use to subvert SSL. According to Apple's OS X security advisory, the flaw was fixed in 10.8 and 10.9; it didn't exist in 10.7 or earlier versions of the operating system.

IT is turbocharging BYOD, but mobile security practices lag behind the growing risk. Also in the Mobile Security issue of InformationWeek: These seven factors are shaping the future of identity as we move to a digital world (free registration required).

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NoutellaE803
50%
50%
NoutellaE803,
User Rank: Apprentice
4/26/2014 | 1:11:20 PM
Tetraupload VPN
This is why i'm use a good vpn like TetraUpload VPN  http://tetraupload.com  

I think now internet isn't safe anymore to use my computer without protection :S
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
4/24/2014 | 7:46:49 AM
Re: Heartbleed and Android
There are SSL/Crypto implementations in languages other than C.

OpenSSL was one of the first non-commercial ones, which is why it is so prevalent.

At the time it was written, languages such as Java simply weren't fast enough (they're still slower than a pure C implementation).

The main issue as I see it is OpenSSL using its own memory allocator to manage memory – it stops the standard memory checking tools (and as a C programmer, you *always* use memory checking tools) picking up errors like Heartbleed.

I believe, although I haven't double-checked, if OpenSSL had been using the standard malloc and free, the bug would have been picked up by Valgrind.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/24/2014 | 5:16:54 AM
Re: Heartbleed and Android
Great question. I touched on this last week in my Heartbleed Facts feature, but here's the short answer: 

1) Android OS vulnerabilities: According to Lookout, 86% of users running Android 4.1.1 are vulnerable to Heartbleed (as of last week), while 5% of users running 4.2.2 are affected. Lookout says that suggests that most 4.1.1 distributions are vulnerable, as are some 4.2.2 custom ROMs.

2) Android app vulnerabilities: Irrespective of the version of Android running on a device, any given app may also include an insecure version of OpenSSL. 

Fixing #2 requires developers to replace vulnerable OpenSSL, and many have already done so.

Fixing #1 requires handset manufacturers and carriers to release patches or OS updates. On this front, if past experience is any guide, some will do so shortly, but many won't. (And if they don't, maybe it's time for some class-action lawsuits or tough love from the FTC?)
theb0x
50%
50%
theb0x,
User Rank: Moderator
4/23/2014 | 6:10:46 PM
Heartbleed and Android
I would like to know if these Android devices are shipped from the factory vulnerable with it's either 4.1.1 version or if it's any of the 3rd party apps bundled? Which by the way you can only stop their running services but not uninstall unless rooted.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.