• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Android 4.1.1 Heartbleed - Why can't we update directly from Google?

Rukbat said:
Since your phone doesn't run OpenSSL (it just connects to the SSL port of a server that uses SSL - and might be using the affected version of one single SSL program, OpenSSL, without having been patched against the bug), whoever wrote that has to go back to school and learn what software is and how it works.

It's like saying that XYZ Sail Manufacturing Company sent out a defective load of sails, so you should check your car's tires to make sure that they aren't using defective sails. Phones and computers (laptops and desktops) run by individuals usually don't run SSL, since it's a nodule or object file used by the web server - which your phone doesn't run (at least not open to the public - Airdroid runs a web server, but it's not secure at all, because only people on your wifi network can access it). Your laptop or desktop MAY be running a web server - but if it is, and you've graduated beyond having to read the xampp documentation every time you want to run it, you've made sure that, IF you run SSL, AND the version you run is OpenSSL, you've deleted the old file and replaced it with the corrected one.

The ONLY "vulnerability: here is that when you send OpenSSL a 1k request, you get back 1k of data FROM THE SERVER.n (The data sent is the same amount as the data received.) With the bug you can send a 1k request requesting the last 5 GB uploaded to the server, so you get all the data people have been uploading to it for hours. Whether you use a phone, a laptop or a mainframe makes no difference. The hacker can still get dsata you've put on a server running unpatched OpenSSL.

Since just about no banking the US runs OpenSSL for security, no banks are vulnerable. No HTTP site is vulnerable. (OpenSSL requires that you use HTTPS as the protocol.) And no site that's replaced or patched their OpenSSL file (which is just about all of them by now, except for people running their own web servers and not really knowing anything about running web servers) is vulnerable.

All the rest of this nonsense (including most of what you quoted) is FUDD.
Click to expand...

Tell that to lookout and the guardian

From the guardian:
Affected devices are apparently “vulnerable to a hack described as ‘reverse Heartbleed’ — where a malicious server would be able to exploit the flaw in OpenSSL to grab data from the phone’s browser, which could include information about part sessions and logins,” according to*The Guardian.

Furthermore, Lookout’s principal security researcher Marc Rogers told*Bloomberg*that a Heartbleed-based attack against Android would be a complex task.

“Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don’t expect to see any attacks against devices until after the server attacks have been completely exhausted,” he said.
Click to expand...

From Google ( ask yourself: if it was just server side why would android version matter?):
All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners
Click to expand...

As I said above, industry security experts (and Google) are saying 4.1.1 devices are vulnerable to a targeted attack at the device, not the server. Heck, I even posted the proof of concept video of this happening above.


Also, trend micro for good measure:
http://blog.trendmicro.com/trendlab...pps-and-android-411-vulnerable-to-heartbleed/

OpenSSL Library Present in Android 4.1.1 and Certain Mobile Apps

We have information that although the buggy OpenSSL is integrated with the Android system, only the*Android 4.1.1 version*is affected by Heartbleed vulnerability. For devices with that version, any app installed with OpenSSL which is then used to establish SSL/TLS connections is possibly affected and can be compromised to get user information from the device memory.

However, even if your device is not using the affected version, there is still the matter of the apps themselves. We have found 273 in Google Play which are bundled with the standalone affected OpenSSL library, which means those apps can be compromised in any device.
...
A reverse client-side Heartbleed attack is possible if the remote servers those apps connect to are compromised. A reverse Heartbleed can of course also expose user device memory to a cybercriminal.
Click to expand...

OpenSSL is integrated in android. And 4.1.1 is vulnerable. The relative threat, and how much to do on your end to protect yourself is all thats really up for debate.
 
Remember that most newspaper writers were English or Journalism majors, and couldn't write a "Hello World!" app in BASIC, so I wouldn't take their "explanations" about a bug (that directly contradict what the person who wrote the bug [inadvertently]) seriously. They man who wrote the bug knows what it is, how it workd and what caused it better than anyone else, and his claim is that it;s limited to the servers running an unpatched latest version of the code that he himself wrote - code that DOESN'T run on cellphones of any king (unless you happen to be running an OpenSSL-protected web server on your phone - which would mean that you've already finished laughing at articles like the above quotes).

"We have information that although the buggy OpenSSL is integrated with the Android system" I don't know who gave them that information (probably another Journalism student), but it didn't come from the man who wrote the bug.

"We have information that although the buggy OpenSSL is integrated with the Android system" It doesn't. This is known as the Fallacy of Believing Everything you Read on the Web.

"We have found 273 in Google Play which are bundled with the standalone affected OpenSSL library, which means those apps can be compromised in any device." Since there's no possible reason fot that to be done (unless the app is a secure web server), it's a matter of knowing what you're downloading. Anyone downloading crap deserves what he gets.

And if the vulnerability depends on the version of android - and it also depends on the app ("We have found 273 in Google Play") ... which is it? Does it depend on the app, does it depend on the version of Android or does it epend on the app running on the particular version of Android.

BTW, if the phone is running on wifi, not your data connection, unlss you're VERY stupid and forwarded port 443 to your phone (anyone who could probably wouldn't), the server can't get to your phone. Unless the bug also includes replacing your router with one built to allow the bug to work in reverse, which is further from reality than any fairy tale I've ever read. (The site can't connect to port 443 in your phone - which is where OpenSSL works - unless you've set your router up to allow it. Which is like taping the combination to your safe on the door of the safe. I realize that ome people have their login and password on a sticky note on their monitor, but most people have at least a little common sense.)

IOW, it's FUDD, written by someone who read some things on the web, didn't understand what he read, but thought it made a good story. Probably about 75% of the content of the web is that sort of thing - nonsense repeated by everyone who reads it and has a site.
 
I used the newspaper articles because they were written for laymen. The OP is asking for to the point, easy to understand information about the exploit. If you want to say journalists often misinterpret or misunderstand information that is fine, but its easy enough to find the original source.

If an Android Has a Heart, Does It Bleed? | FireEye Blog

The OpenSSL Heartbleed vulnerability “allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” [1]. Heartbleed surprised the public by allowing attackers to steal sensitive information from vulnerable websites by sending crafted SSL heartbeat messages. However, due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information. For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.
Click to expand...

Currently there are about 17 antivirus apps on Google Play branded as “Heartbleed detectors”. Six of them scan the OpenSSL library belonging to the Android platform for vulnerabilities. Unfortunately, this method isn’t sufficient for detecting the Heartbleed vulnerability on Android. Except in limited Android versions (mainly 4.1.0-4.1.1), the majority of Android platforms are not vulnerable, as most versions use OpenSSL libraries that are not vulnerable or simply have the OpenSSL heartbeat functionality disabled.

However, Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries. Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents.
Click to expand...

We studied apps with vulnerable OpenSSL libraries and confirmed this attack.
Click to expand...
On April 10th, we scanned more than 54K Google Play apps (each with over 100K downloads) and found that there were at least 220 million downloads affected by the Heartbleed vulnerability.
Click to expand...
From that I conclude:
Android has it baked in. Only 4.1.1 uses the vulnerable version.

Apps can either rely on the version of open SLL that is included in android or have a version of it baked in themselves. Which one they rely on determines whether that apps data can be at risk.

You may be right about whether the risk is actually likely to be used, but it is present.
 
You must log in or register to reply here.
Back
Top Bottom