Every casual and hardcore tech enthusiast must be aware of the Heartbleed bug by now; unfortunately, their cloud of paranoia is only bound to expand now that Google revealed that everyone with an Android 4.1.1 device is affected by this major flaw. It is an OpenSSL security flaw which was revealed by Google last week. It had a significant impact on majority of the secure website over the internet. Evidently, it implied that Google still has to do a lot of work to put Android on par with its updating process.
The first effective encounter with Heartbleed was reported early this month. It is primarily a bug in the OpenSSL encryption framework which is used by web servers to secure any communication between them and the outside world. The vulnerable version facilitates the retrieval of valuable information such as user account details, encryption keys, chat and message content from the hosting servers. Assailants can use such data for wrong purposes. What adds to the awe is the fact that whether or not, this hacking point was known to the probable attackers or agencies before this recent incident.
News and Solution
What’s making the news excerpts is that an updated patch with new SSL certificate is being circulated via manufacturers and carriers who eventually releases most updates. It is a much needed update as we aren’t sure of the exact number of users who could still be using Android 4.4.1, also known as Jelly Bean. Apparently Jelly Bean is also the platform with the largest user base, despite all the facts about Android fragmentation.
Google has reported that its web services such as Gmail, Search, YouTube, Play Store, Wallet, App Engine, AdWords, DoubleClick, Maps, etc. were affected by Heartbleed earlier, but of them are now updated with the patch release. Nevertheless there are other associated sites like Facebbok, Twitter, Yahoo, Dropbox, Tumblr, GoDaddy, and Amazon web services etc. which are still vulnerable.
According to Google statistics based on the number of visitors to Google’s Play Store, 5.3 percent users are from KitKat, 8.9 from Jelly Bean 4.3, 18.1 percent from Jelly Bean 4.2, and a huge 34.4 percent from the infected Jelly Bean 4.1 series. Considering the time-period since the release of 4.1, we can only hope that a lesser number of devices are infected. Besides, Google hasn’t released any stats on the breakdown percentage as of now. Hopefully the patch for 4.1.1 should make it to users in a day or two.
Heartbleed has raised a lot of questions for the concerned developers. Tight and strict regulatory guidelines are proposed for cryptographic code for open source development. It is being asked by critics as to ‘why the security libraries continue to be written in a language that can give rise to Heartbleed type issues?’ A developer’s perspective is still not out yet and as it stands, Android is just lucky that Samsung flagship phones aren’t impacted till now. It seems that Android got lucky this time but they need to find out better ways of protecting their customers in future. Competitors are way ahead.