A while back, Apple had a security issue due to a flaw in their SSL code. A line was repeated, GoTo Fail, which was outside of a conditional statement. As such, the code would always be executed if the tested encryption somehow reached the statement. Apple fixed the issue with an update some time ago. However, the fact that this bug only affected Apple made it clear that Apple had their own customized version of SSL, and had ditched OpenSSL. They actually did this back in 2004, because they were able to improve performance and security of the encryption for their own operating systems. As such, HeartBleed, which was only found in OpenSSL, didn’t touch Apple devices at all. This doesn’t mean people who use Apple devices are immune from the dangers of Heartbleed, as going to a website that uses unpatched OpenSSL will still be a security risk, but it does mean that the devices themselves and Apple services are untouched by HeartBleed. You can now breathe a sigh of relief, iOS, Mac OS, iTunes, and iCloud users users.
Google’s Android operating system, on the other hand, does use OpenSSL, and it’s unpatched. To make matters worse, even after Google patches the bug, it could take quite some time to reach all users thanks to fragmentation, and since many phones, especially older ones, don’t receive updates, it may never reach some users. I’ve never actually heard someone swallow hard, making the “gulp” noise, when hearing ominous news, but you can do one now, Android users, if you’d like.
The key issue here isn’t Google’s use of OpenSSL, that’s just how the operating system became vulnerable. Most websites and services online use it, so Google can be forgiven for this. OpenSSL is typically very secure. However, the issue of fragmentation on Android has once again become part of the discussion. The security vulnerability can be found on Android versions 4.1.x (one of the versions of Jellybean). However, carrier and manufacturer customizations to Android mean that some versions of Android 4.2.x also have the vulnerability, and in some cases, much newer versions are vulnerable, including KitKat. Google has a habit of not updating older versions of Android, and cellphone manufacturers are even worse with updating procedures. Frequently, an Android smartphone that’s over a year and a half old won’t receive updates. Due to the severity of this issue, this bug may end up being an exception.
The flaw in Android was discovered by security firm FireEye. They also pointed out that fragmentation between Android devices could keep this bug from being updated for some time. However, what’s most frightening for Android users is how easy it is for developers to take advantage of this bug. To prove their point, FireEye put an app on the Google Play store that exploited the bug to collect usernames, passwords, and more. Of course, they didn’t actually collect the data from users, that would be immoral and illegal. However, they did prove just how easy it would be for anyone to take advantage of this very serious vulnerability on their own devices. They proved that the app could steal data from users running pure Android version 4.4.2, as well as customized versions from Samsung and HTC, and even devices with CyanogenMod 11. Nearly every Android user is vulnerable, and they may be for some time.
Android has always been the least secure mobile operating system when compared to iOS, Blackberry OS, and Windows Phone, but this flaw takes the cake. Everyone was hit by HeartBleed, but Android users will be hit the hardest. Completely bypassing encryption and making phishing so easy, the HeartBleed flaw is still one all Internet users should be concerned about until it’s patched, regardless of the operating system they’re using. Unfortunately, Android users will likely be worried about the vulnerability for some time to come.