Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Android Heartbleed Alert: 150 Million Apps Still Vulnerable

Android developers are starting to patch OpenSSL flaws. Meanwhile, Apple ships an SSL fix for iOS and OS X.

Warning to Android users: No patches are available for 150 million downloaded Android apps that remain vulnerable to the OpenSSL vulnerability known as Heartbleed. That finding comes from the security firm FireEye, which scanned more than 54,000 apps available via Google Play that have been downloaded at least 100,000 times.

The good news, however, is that since the Heartbleed vulnerability came to light on April 7, developers have released patches covering about 70 million previously vulnerable apps, thus taking a big bite out of what had been 220 million unpatchable apps.

That decline reflects Android app developers updating their wares with a patched version of OpenSSL, thus helping safeguard users from the possibility of malicious servers exploiting the bug to steal data from their devices. "We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products," FireEye information security researchers Yulong Zhang, Hui Xue, and Tao Wei wrote in a blog post. "Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes."

How can Android users know which apps are still vulnerable? In general, anyone using a version of Android that isn't 4.1.0 or 4.1.1 won't be vulnerable, at least from an operating system standpoint. But vulnerable apps might still be running on the device, and there's no clear-cut, reliable way to inventory or scan them all.

FireEye, for example, counts 17 Google Play antivirus offerings that claim to detect Heartbleed, but it says that only six scan the OpenSSL library for Android.

Furthermore, apps can tap buggy OpenSSL code in other ways. "Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries," the FireEye researchers said. "Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server, and then send crafted [Heartbeat] messages to the app to steal sensitive memory contents."

One mitigating factor is that the majority of vulnerable apps appear to be games, so if attackers did exploit them, users would stand to lose their OAuth token, at most. However, enterprising attackers could use these tokens to attempt to hijack the game account and any social networks to which it connects, but that's arguably a lot of effort for little return.

But the second-most-prevalent type of vulnerable Android app appears to be office apps, which pose a greater risk when it comes to losing sensitive data. On the upside, FireEye found that, due to coding errors, many apps that contain vulnerable OpenSSL code are protected, oftentimes because developers appeared to accidentally call the OpenSSL library in Android OS, rather than a vulnerable, native library.

Android isn't the only mobile operating system sporting SSL vulnerabilities. On Tuesday, Apple pushed an iOS update -- version 7.1.1 -- that improves Touch ID fingerprint recognition and patches numerous flaws in WebKit, IOKit Kernel, CFNetwork HTTP, and Secure Transport. The flaw patched by Apple would have allowed an attacker who could eavesdrop on communications to subvert SSL.

"In a 'triple handshake' attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other," according to Apple's iOS security advisory. "To prevent attacks based on this scenario, Secure Transport was changed so that, by default, a renegotiation must present the same server certificate as was presented in the original connection."

Apple also released an OS X update Tuesday for its 10.7, 10.8, and 10.9 operating systems, patching numerous vulnerabilities, including the same type of Secure Transport flaw that attackers could use to subvert SSL. According to Apple's OS X security advisory, the flaw was fixed in 10.8 and 10.9; it didn't exist in 10.7 or earlier versions of the operating system.

IT is turbocharging BYOD, but mobile security practices lag behind the growing risk. Also in the Mobile Security issue of InformationWeek: These seven factors are shaping the future of identity as we move to a digital world (free registration required).

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NoutellaE803
50%
50%
NoutellaE803,
User Rank: Apprentice
4/26/2014 | 1:11:20 PM
Tetraupload VPN
This is why i'm use a good vpn like TetraUpload VPN  http://tetraupload.com  

I think now internet isn't safe anymore to use my computer without protection :S
micjustin33
50%
50%
micjustin33,
User Rank: Apprentice
4/24/2014 | 7:46:49 AM
Re: Heartbleed and Android
There are SSL/Crypto implementations in languages other than C.

OpenSSL was one of the first non-commercial ones, which is why it is so prevalent.

At the time it was written, languages such as Java simply weren't fast enough (they're still slower than a pure C implementation).

The main issue as I see it is OpenSSL using its own memory allocator to manage memory – it stops the standard memory checking tools (and as a C programmer, you *always* use memory checking tools) picking up errors like Heartbleed.

I believe, although I haven't double-checked, if OpenSSL had been using the standard malloc and free, the bug would have been picked up by Valgrind.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/24/2014 | 5:16:54 AM
Re: Heartbleed and Android
Great question. I touched on this last week in my Heartbleed Facts feature, but here's the short answer: 

1) Android OS vulnerabilities: According to Lookout, 86% of users running Android 4.1.1 are vulnerable to Heartbleed (as of last week), while 5% of users running 4.2.2 are affected. Lookout says that suggests that most 4.1.1 distributions are vulnerable, as are some 4.2.2 custom ROMs.

2) Android app vulnerabilities: Irrespective of the version of Android running on a device, any given app may also include an insecure version of OpenSSL. 

Fixing #2 requires developers to replace vulnerable OpenSSL, and many have already done so.

Fixing #1 requires handset manufacturers and carriers to release patches or OS updates. On this front, if past experience is any guide, some will do so shortly, but many won't. (And if they don't, maybe it's time for some class-action lawsuits or tough love from the FTC?)
theb0x
50%
50%
theb0x,
User Rank: Ninja
4/23/2014 | 6:10:46 PM
Heartbleed and Android
I would like to know if these Android devices are shipped from the factory vulnerable with it's either 4.1.1 version or if it's any of the 3rd party apps bundled? Which by the way you can only stop their running services but not uninstall unless rooted.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.