Android 4.1.1 running devices vulnerable to Heartbleed


Unless you’ve been living under a rock for the past few days, its been hard to miss the buzz around Heartbleed, the latest and greatest vulnerability to hit the internet. The flaw in OpenSSL is said to affect close to two thirds of the internet and could allow theft of data protected by SSL/TLS encryption. In short, all your passwords could be easily accessible. Most of the sites that you’re likely to frequent and most devices that you use have since been patched to get around Heartbleed, all except one. Screenshot 2014-04-12 13.19.43

Google yesterday issued a statement saying that all versions of Android are immune to CVE-2014-0160 ie Heartbleed with the limited exception of Android 4.1.1. Google’s Android distribution dashboard states that Android Jellybean (4.1.x – 4.3) accounts for 34.4%. If even a small subset of the current install base is on 4.1.1, it potentially makes several million users out there vulnerable. Fret not though as Mountain View has already pushed out a patch to Android partners and it is now up to OEMs and carriers to roll this out to users.

Security research firm Lookout confirmed that hackers are less likely to go after individual devices than servers. This stems from the fact that setting up and attacking a single device takes a longer amount of time and the rewards are low if any at all. A server on the other hand gives the hacker access to a lot more information. All said and done, in case you are using an Android 4.1.1 based device, there is little that you can do other than to wait for your operator or device manufacturer to push out the update.

[via – Google]


Author: Dhruv Bhutani

Your friendly neighborhood techie. Currently using a Pixel 2 XL. Catch him on Twitter (@DhruvBhutani) / Facebook .