Vulnerabilities / Threats
4/23/2014
02:12 PM
50%
50%

Android Heartbleed Alert: 150 Million Apps Still Vulnerable

Android developers are starting to patch OpenSSL flaws. Meanwhile, Apple ships an SSL fix for iOS and OS X.

Warning to Android users: No patches are available for 150 million downloaded Android apps that remain vulnerable to the OpenSSL vulnerability known as Heartbleed. That finding comes from the security firm FireEye, which scanned more than 54,000 apps available via Google Play that have been downloaded at least 100,000 times.

The good news, however, is that since the Heartbleed vulnerability came to light on April 7, developers have released patches covering about 70 million previously vulnerable apps, thus taking a big bite out of what had been 220 million unpatchable apps.

That decline reflects Android app developers updating their wares with a patched version of OpenSSL, thus helping safeguard users from the possibility of malicious servers exploiting the bug to steal data from their devices. "We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products," FireEye information security researchers Yulong Zhang, Hui Xue, and Tao Wei wrote in a blog post. "Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes."

How can Android users know which apps are still vulnerable? In general, anyone using a version of Android that isn't 4.1.0 or 4.1.1 won't be vulnerable, at least from an operating system standpoint. But vulnerable apps might still be running on the device, and there's no clear-cut, reliable way to inventory or scan them all.

FireEye, for example, counts 17 Google Play antivirus offerings that claim to detect Heartbleed, but it says that only six scan the OpenSSL library for Android.

Furthermore, apps can tap buggy OpenSSL code in other ways. "Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries," the FireEye researchers said. "Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server, and then send crafted [Heartbeat] messages to the app to steal sensitive memory contents."

One mitigating factor is that the majority of vulnerable apps appear to be games, so if attackers did exploit them, users would stand to lose their OAuth token, at most. However, enterprising attackers could use these tokens to attempt to hijack the game account and any social networks to which it connects, but that's arguably a lot of effort for little return.

But the second-most-prevalent type of vulnerable Android app appears to be office apps, which pose a greater risk when it comes to losing sensitive data. On the upside, FireEye found that, due to coding errors, many apps that contain vulnerable OpenSSL code are protected, oftentimes because developers appeared to accidentally call the OpenSSL library in Android OS, rather than a vulnerable, native library.

Android isn't the only mobile operating system sporting SSL vulnerabilities. On Tuesday, Apple pushed an iOS update -- version 7.1.1 -- that improves Touch ID fingerprint recognition and patches numerous flaws in WebKit, IOKit Kernel, CFNetwork HTTP, and Secure Transport. The flaw patched by Apple would have allowed an attacker who could eavesdrop on communications to subvert SSL.

"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," according to Apple's iOS security advisory. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."

Apple also released an OS X update Tuesday for its 10.7, 10.8, and 10.9 operating systems, patching numerous vulnerabilities, including the same type of Secure Transport flaw that attackers could use to subvert SSL. According to Apple's OS X security advisory, the flaw was fixed in 10.8 and 10.9; it didn't exist in 10.7 or earlier versions of the operating system.

IT is turbocharging BYOD, but mobile security practices lag behind the growing risk. Also in the Mobile Security issue of InformationWeek: These seven factors are shaping the future of identity as we move to a digital world (free registration required).

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NoutellaE803
50%
50%
NoutellaE803,
User Rank: Apprentice
4/26/2014 | 1:11:20 PM
Tetraupload VPN
This is why i'm use a good vpn like TetraUpload VPN  http://tetraupload.com  

I think now internet isn't safe anymore to use my computer without protection :S
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
4/24/2014 | 7:46:49 AM
Re: Heartbleed and Android
There are SSL/Crypto implementations in languages other than C.

OpenSSL was one of the first non-commercial ones, which is why it is so prevalent.

At the time it was written, languages such as Java simply weren't fast enough (they're still slower than a pure C implementation).

The main issue as I see it is OpenSSL using its own memory allocator to manage memory – it stops the standard memory checking tools (and as a C programmer, you *always* use memory checking tools) picking up errors like Heartbleed.

I believe, although I haven't double-checked, if OpenSSL had been using the standard malloc and free, the bug would have been picked up by Valgrind.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/24/2014 | 5:16:54 AM
Re: Heartbleed and Android
Great question. I touched on this last week in my Heartbleed Facts feature, but here's the short answer: 

1) Android OS vulnerabilities: According to Lookout, 86% of users running Android 4.1.1 are vulnerable to Heartbleed (as of last week), while 5% of users running 4.2.2 are affected. Lookout says that suggests that most 4.1.1 distributions are vulnerable, as are some 4.2.2 custom ROMs.

2) Android app vulnerabilities: Irrespective of the version of Android running on a device, any given app may also include an insecure version of OpenSSL. 

Fixing #2 requires developers to replace vulnerable OpenSSL, and many have already done so.

Fixing #1 requires handset manufacturers and carriers to release patches or OS updates. On this front, if past experience is any guide, some will do so shortly, but many won't. (And if they don't, maybe it's time for some class-action lawsuits or tough love from the FTC?)
theb0x
50%
50%
theb0x,
User Rank: Moderator
4/23/2014 | 6:10:46 PM
Heartbleed and Android
I would like to know if these Android devices are shipped from the factory vulnerable with it's either 4.1.1 version or if it's any of the 3rd party apps bundled? Which by the way you can only stop their running services but not uninstall unless rooted.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.