April 28, 2014
In the aftermath of Heartbleed, internet security is coming under close scrutiny. But it turns out that being hacked is still a very real threat for certain devices, calling enterprise mobile security into question.
Though it’s been weeks since Heartbleed was detected and the internet subsequently went on lockdown, Android devices operating specifically on version 4.1.1 are still reportedly vulnerable* to outside threats due to a design flaw in their software OpenSSL.
In addition, a new study† discovered that roughly 150 million downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.
Although these apps mostly consist of games (not the best source of useful information to hack), experts say that some apps use authorization credentials that can be linked to a user’s social media. Theoretically, a hijacker could use one of these vulnerable game applications to gain access to more valuable accounts.
As for the version 4.1 flaw, Google estimates that 34 percent of the 900 million total Android devices currently use some variation of version 4.1, released in 2012. The same idea exists here: Though hackers mostly focus on OpenSSL servers, they could potentially hack individual devices to steal data.
This isn’t the first time Google has encountered problems with mobile device security from malware threats. Last year, more than 1 million malware threats targeted Android devices during the first nine months of 2013, up from 175,000 the previous year in 2012.
That’s why it’s better to be safe than sorry, especially when it comes to sensitive information (and particularly sensitive company information stored on or accessible from your device).
And as BYOD trends continue to grow in popularity, the importance of data security will grow as well.
In regards to the vulnerable apps, many app developers and library vendors have done a good job of implementing proper fixes thus far: Between April 10th and April 22nd, the number of potentially vulnerable apps decreased from around 220 million to just 150 million.†
And Android’s parent company hasn’t been idle: Google has provided fixes for the flaws in version 4.1.
However, the Internet giant is notorious for its long update cycle. Now, it’s up to handset manufacturers and wireless carriers to use this patch to update potentially at-risk devices.*
Until then, be wary of apps claiming to scan your device to detect Heartbleed.
While there are 17 “Heartbleed scanner” apps currently downloadable on Google Play, a report† found that only two are reliable (unfortunately, they did not specify which ones). The rest are reportedly insufficient at detecting Heartbleed-vulnerable apps, while several of them are actually forms of adware.†
Until more universal repairs are released to fix the vulnerabilities in Android devices, it may be a good idea to stay away from downloading new apps from Google Play.
Moving forward, one of the most important takeaways from incidents like this is that companies considering BYOD or MDM must choose the right EMM solution – or run the risk of giving potential hackers an opening into valuable company information.
* Robertson, Jordan. Millions of Android Devices Vulnerable to Heartbleed Bug, Bloomberg. Bloomberg, L.P.
† Wei, Tao, Xue Hui and Zhang, Yulong. If an Android Has a Heart, Does It Bleed?, FireEye. FireEye, Inc.