+ Friday August 23rd, 2019

If you’ve been on the internet in the last week, you’ve probably read about the vulnerability found in OpenSSL which affects a good percentage of the Internet. Heartbleed is the name given to a vulnerability in Open SSL, the secure sockets layer software for secure internet transactions (e.g. web servers running on https, like your bank, or our donation portal). It allows a would-be hacker to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

For those who don’t quite follow, XKCD have published an awesome comic today that shows the issue quite clearly:

We ourselves have been affected by this, having to upgrade the SSL software for the Ausdroid Community Foundation and have our server certificates reissued to protect against any possible issues. We’ve not identified any compromised information, but we can’t be too careful.

While the majority of the concern lies on the server side of the Internet equation, there are concerns that some client software might be vulnerable as well, although the risk is much, much smaller due to the client side being generally considered much harder to compromise.

In Android land, we’re pretty safe. It seems Heartbleed is only causing issues for one specific version of Android — Android 4.1.1. Every other version is, according to Google, immune to the vulnerability.

The downside, of course, is that devices running software this old might not actually receive an update. It would require a code fix from Google (which has been done) and also an update then being pushed out to affected handsets by manufacturers and carriers, and we all know how difficult that process can be.

It’s not immediately clear just how many handsets could be affected, but we do know a little.  According to the numbers coming from earlier this month, Android 4.1.x currently accounts for 34.4 percent of Android usage. We can only hope the patching update rolls out quickly, and that Android 4.1.1 makes up a small percentage of the overall Android 4.1.x figure.

Failing that, if you’re a user with a 4.1.1 handset and you’re especially concerned that your handset could be vulnerable, if an update isn’t forthcoming, upgrading to a different handset might be the only option.


Source: Google Online Security Blog.

Chris Rowland   Managing Editor

Chris Rowland

Chris has been at the forefront of smartphone reporting in Australia since smartphones were a thing, and has used mobile phones since they came with giant lead-acid batteries that were "transportable" and were carried in a shoulder bag.

Today, Chris publishes one of Australia's most popular technology websites, Ausdroid. His interests include mobile (of course), as well as connected technology and how it can make all our lives easier.

Join the Ausdroid Conversation

1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
Ramiro Fernandez Recent comment authors
newest oldest most voted
Notify of
Ramiro Fernandez
Ramiro Fernandez

This vulnerability only applies to TLS servers. Unless your phone is running some sort of secure server (such as an SSH server, SFTP server, etc) you have nothing to worry about.

Check Also

Android Q name revealed, and the winner is……

Android Q has been officially named, and as we predicted the next version of Android …