In general, most apps on Android are not going to be impacted, even if they are (technically) vulnerable.
In order for Heartbleed to be abused on a client device like an Android device, an App on the device will need to connect to a malicious server - one that has been specifically setup to abuse the vulnerability. Even then, the only impact is that the website can steal data from that one specific app, not from the device in general. Most apps either never connect to a web server, or only connect to a specific website run by the apps developers or similar. Given that you're already trusting the app itself, it's an obvious step to say that the website it's connecting to is also trustworthy (or at least, as much as the app is), so the additional risk here is basically zero. Things are a little different for apps that connect to multiple, non-hardcoded sites. eg, a web browser. If you were to connect to a compromised site (either directly, or via a link/image/etc on another site) then you could potentially be exploited. Again, the only risk is that the site could steal data from the memory of your web browser, NOT from other apps. eg, if you'd just logged into your internet banking using your web browser, then it's possible that the credentials could be snagged, however if you had just logged into your internet banking APP (and presuming that app was a true app and not just a wrapper to the web browser) then your credentials could NOT be stolen. So yes, it's a concern, but probably not as big a one as the press is going to be making out over the next few days as they move their attention from servers to clients. And remember, it's Android 4.1.1 only, not the far more common 4.1.2 which despite running the affected version of OpenSSL has the heartbeat code disabled (most likely as a potential battery performance improvement). Scott On Tue, Apr 15, 2014 at 5:18 PM, Jan Whitaker <jw...@internode.on.net>wrote: > At 01:34 AM 10/04/2014, Rick Welykochy wrote: > > >The Heartbleed Bug has been plaguing Apache and nginx web servers > >for a couple of years. > > Just did a bit of research on this re the trickle out of more info > about the bug: affecting Android devices. Turns out the largest user > base, Jellybean 4.1.1 is affected and still no patch. > > http://www.androidtablets.net/forum/android-tablet-news-depot/66538-heartboned-why-google-needs-reclaim-android-updates.html > > This happens to be the version installed on the inexpensive tablets > from Aldi (I bought one late last year). Plus the Google staff are > only saying they will advise their Android partners. All well and > good, but how will those partners advise their end customers, like me? > > http://googleonlinesecurity.blogspot.com.au/2014/04/google-services-updated-to-address.html > > I have changed some passwords on critical accounts, like gmail which > I hardly ever use, but is my Google overall password because of their > integration approach, and Amazon. But if the os is buggy, doesn't > seem like that's worth much now/yet/ > > I've never had to update an Android system before, so have no idea > how that happens. Apps seem to take care of themselves automatically, > but Android??? > > Any further advice? I can't seem to find what I'm looking for on this > beyond the above. (whirlpool doesn't address it yet, for example) > > Jan > > > > Melbourne, Victoria, Australia > jw...@janwhitaker.com > > Sooner or later, I hate to break it to you, you're gonna die, so how > do you fill in the space between here and there? It's yours. Seize your > space. > ~Margaret Atwood, writer > > _ __________________ _ > _______________________________________________ > Link mailing list > Link@mailman.anu.edu.au > http://mailman.anu.edu.au/mailman/listinfo/link > _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link
