Millions of Android devices may be utilizing versions of the OpenSSL library vulnerable to the Heartbleed bug, but experts say the actual risk to Android users remains unclear at this stage.
Even pinning down how many Android devices may be exposed by the OpenSSL vulnerability, publicly reported just over a week ago, is a tricky task. Google said in an April 9 blog post that Heartbleed currently affects only devices running version 4.1.1 of its Android mobile operating system, released in July 2012, and that the company is distributing patching information for the affected version to Android partners.
You have a window of opportunity where you're only going to get a little bit of data, and it's a crapshoot whether you'd get anything interesting.
chief technology officer, Bluebox Security
Google's statistics only show that over one-third of Android users are on some version in the 4.1.X range though, leaving it unclear just how many devices are vulnerable. A source familiar with Android's market share told SearchSecurity that 4.1.1 users make up a relatively small portion of the much larger group on the Jelly Bean release.
Ad network firm Chitika ran an analysis of North American Web traffic from April 7 to April 13 for UK-based news agency The Guardian, which showed that 19% of Jelly Bean users were running the vulnerable 4.1.1 version. All told, The Guardian estimates that at least 4 million Android devices in the U.S., and tens of millions worldwide, could be affected by Heartbleed.
Mobile devices from Google rivals Apple and Microsoft are not affected by the Heartbleed OpenSSL vulnerability.
Attack scenarios highly impractical
While Heartbleed could pose a theoretical risk to millions of Android users, mobile security experts told SearchSecurity the practicality of such attacks is questionable.
Marc Rogers, principal security researcher with mobile security vendor Lookout Inc., said that while millions of devices may technically be vulnerable to Heartbleed due to the inclusion of a vulnerable OpenSSL version, many such devices may not have the necessary heartbeats functionality enabled, making an attack impossible.
For those Android users who are affected, there is no way to turn off the heartbeats functionality, according to Rogers, meaning users are likely stuck waiting for update from a carrier, which tends to be released at a notoriously slow pace. That means that attackers could use Heartbleed to steal sensitive data from the memory of Android devices, but Rogers said that Androids devices would have to be targeted on an individual basis, making the vulnerability less attractive to malicious actors.
The limitations on what an attacker can glean from an exploit makes attacks on Android users even less likely, he said.
"The memory they would be able to access would be restricted to the program that's making the request. So, for example, if you're using a browser and it's browsing a malicious website, it will only be able to steal data from the browser," said Rogers, "but that could still have serious implications. If somebody is browsing their banking site in one tab and they hit a malicious website in another tab, the malicious tab would be able to steal data from the banking tab."
Another possible avenue for attackers, according to Jeff Forristal, chief technology officer for mobile security vendor Bluebox Security, is to prey on Android apps that utilize a vulnerable version of the OpenSSL library, though he cautioned that such an exploit would be difficult to pull off.
Forristal noted that the risk to Android users in such instances is first limited to what functions an app performs and what user data it can access. Even if an attacker were able to target a specific user via a vulnerable app, Forristal said that exploiting Heartbleed in a client-side attack is much more difficult than via a server-side attack, the latter of which there have already been reports of successful exploits.
In a client-side attack, an attacker first would have to insert himself in the middle of communications between the Android device and a server, according to Forristal, which makes openly shared Wi-Fi networks at coffee shops and airports the most likely vantage point for such an exploit. Such attacks are made slightly easier by the use of emedded Wi-Fi access points in mobile apps, he said, which could enable attackers to force a device to connect to a Wi-Fi network.
Once in place, a successful exploit would still be unlikely to yield a fruitful return for attackers, Forristal said, because client-side devices won't provide them with the opportunity to send the overwhelming amount of heartbeat requests necessary to make Heartbleed a truly useful vulnerability.
"Attacking the client, you'll probably only get a few chances. You're not going to be able to do a million requests because, remember, you're not asking the client or initiating the connection to the client to pump the data out. You're waiting for the client to go initiate to someone else, and you're just leveraging that opportunity, and the client is only going to make a few attempts," said Forristal. "So you have a window of opportunity where you're only going to get a little bit of data, and it's a crapshoot whether you'd get anything interesting. You definitely could, but the odds aren't as much in the favor of the attacker as they were on the server side."
T. Charles Clancy, Android security researcher and associate professor at Virginia Tech, said he is doubtful that Heartbleed poses any direct threat to users, whether it be through the vulnerable OpenSSL versions installed on devices or apps using the OpenSSL library. That doesn't mean Android users are entirely in the clear, though, according to Clancy.
"The bigger risk comes from the indirect exposure," said Clancy. "Many cloud services that Android apps interact with could be vulnerable, which introduces threats into the overall ecosystem that could have an indirect impact on user privacy and user devices."
Android users do retain the option of rooting their devices and installing an updated, secure version of the operating system, but Rogers warned that such measures should only be undertaken by users who have intimate knowledge of the rooting process and its potential downsides. Rooting may even disable some on-device security software in certain instances, he noted, meaning the device may not be more secure as a result.
Ultimately, Forristal said that Android users should focus on changing their passwords on various websites that Heartbleed may have affected, though even that prospect is tricky as not all sites are even aware that the vulnerability exists, much less that they will release uniform information when they apply patched versions of OpenSSL. As a result, Heartbleed may be a lingering issue, he said, but not one that warrants more attention than the multitude of active Internet security issues.
"It's going to be no more or less different than any other security bug that has been out there," said Forristal. "This is just the cost of doing business in terms of the Internet and software security. We've had massive amounts of SQL injection [attacks] and worms; I mean, we've had things like this before and the Internet didn't grind to a halt."