backtop


Print 6 comment(s) - last by rs1.. on Apr 28 at 8:33 AM

Researchers say that some of the 17 apps for Android claiming to search for Heartbleed are fake

Heartbleed has been an interesting topic of discussion for the past few weeks. Just last week, a 19-year-old Canadian was arrested for allegedly hacking into the Canada Revenue Agency (CRA) portal by using Heartbleed.
 
Word has now surfaced that Heartbleed may be ready to cause a significant problem for Android users. Reports indicate that 150 million Android apps are vulnerable to Heartbleed. Security researchers say that while there are 17 Android apps that are able to scan for Heartbleed, at least six of that number use methods of scanning that are insufficient.
 
The findings came from FireEye researchers Yulong Zhang, Hui Xue and Tao Wei. The researchers wrote, "For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed."
 
Some versions of Android aren’t vulnerable to Heartbleed, including Jelly Bean 4.1 and 4.1.1, since they don't use OpenSSL or use it in a way where the flawed features susceptible to Heartbleed are disabled by default.
 
Most of the apps that are vulnerable are games according to the researchers.
 
On the plus side, the number of apps vulnerable to Heartbleed has declined according to the researchers since April 10 when 220 million were estimated to be vulnerable.

Source: Recode



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Word has just now surfaced?
By NellyFromMA on 4/24/2014 1:34:19 PM , Rating: 4
quote:
Word has now surfaced that Heartbleed may be ready to cause a significant problem for Android users.


This was brought up at least a week ago.

Even CNN reported on it. Better late than never I guess, but I mean, this is pretty relevant tech news to be so late...




RE: Word has just now surfaced?
By Reclaimer77 on 4/24/14, Rating: 0
Where is your verification?
By neothe0ne on 4/24/2014 3:39:08 PM , Rating: 2
quote:
Some versions of Android aren’t vulnerable to Heartbleed, including Jelly Bean 4.1 and 4.1.1, since they don't use OpenSSL or use it in a way where the flawed features susceptible to Heartbleed are disabled by default.


This is the OPPOSITE of the truth. If you can't verify your news please don't report it!




Please, educate yourself!
By sprockkets on 4/24/2014 5:48:12 PM , Rating: 2
The only version of android that is vulnerable is 4.1.1. AND, in order to be hacked by it, you have to have some sort of cross scripting attack done on the included android browser in another tab, which btw, is not included by default anymore after 4.0.3.

You can't have a cross attack in an app because there isn't anything there to take a peak, and all apps are sandboxed in their own accounts so each app can't talk to each other.

The people who need to worry are the major websites who used openssl on their web servers, and the users of them should change their passwords after they hopefully trashed their old certificates.




Not apps.
By Visual on 4/28/2014 5:20:01 AM , Rating: 2
Apps themselves can not be vulnerable. I am quite certain they would not contain statically linked openssl libraries, they would either load a OS-provided dynamic library or more likely just use some some wrapper APIs from the OS. In either case, the app itself is not at fault. Update the OS.




This is what happens...
By rs1 on 4/28/2014 8:33:03 AM , Rating: 2
...when tech writers don't understand technology.

quote:
For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed


No. Just no. That statement makes no sense whatsoever. For one thing, Android apps are written in Java. OpenSSL is a C library. As a general rule you do not link C libraries with a Java application. You technically can, but it's not commonly done. Particularly not for crypto/SSL libs which would be provided natively by the platform runtime/SDK. As they are in this case.

More substantially, Heartbleed is a server-side exploit. So unless those apps are locally hosting HTTPS/SSL servers then it doesn't matter if they use "OpenSSL libraries vulnerable to Heartbleed" or not. If they're not actively hosting a publicly accessible server, they're not vulnerable no matter what OpenSSL version they've got.

And even if they were vulnerable, it's likely a moot point. The appeal of Heartbleed as an attack vector is that it allows you to view arbitrary memory contents on the affected machine. On a webserver that's a huge deal, as you might find things like user login details, cryptography keys, database connection credentials, and other information that you can use to compromise thousands upon thousands of accounts simultaneously. On someone's phone, however, all you get is that one user's stuff. Unless they've got thousands of users accessing something they're hosting on their phone, but that seems doubtful.

I might believe that there are 150 million Android apps out there that communicate with servers that have not been patched yet. That would be plausible. But in that case, it's the server that has the problem, not the app. And of course, that would mean that any equivalent apps that exist for iOS, Windows Phone, or any other platform are equally unsafe to use.




"This is from the DailyTech.com. It's a science website." -- Rush Limbaugh














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki