How many mobile Users could be affected by Heartbleed flaw?

Pierluigi Paganini April 14, 2014

Heartbleed is the security flaw that is scaring IT industry, which is its impact on the mobile worlds? How many Smartphone Users could be affected?

Heartbleed flaw is the argument that most of all is capturing the attention of the media in this period,  billions of users worldwide have been impacted, there are thousands solutions affected by the vulnerability. Just yesterday I wrote about the impact of Heartbleed vulnerability publicly disclosed by two giants of the IT, CISCO and BlackBerry, which informed their customers that different solution are affected by the threatening flaw. As reported by many sources, the Heartbleed has a significant impact also on mobile users unaware of the incumbent threat. Numerous servers were exposed to serious risks due Heartbleed flaw, same servers are accessed by mobile user enlarging the surface of exposure caused by the flaw in the OpenSSL library. Let’s consider the Android platform, Google issued a specific blog post to reassure its users highlighting that Android OS was not vulnerable to the Heartbleed bug, except for a single version as explained in the following statement:

“Android – All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).  We will continue working closely with the security research and open source communities, as doing so is one of the best ways we know to keep our users safe.”

Google anyway has promptly released the security patches for Android 4.1.1 which are being distributed among its partners.

But the version mentioned by Google, the Android 4.1.1 Jelly Bean, is probably today the most widespread version (34.4% of the Android devices, which means that at least 344 Millions of mobile suffer the vulnerability) and it uses the vulnerable version of OpenSSL.

heartbleed android platforms

Are you an Apple user?

Apple uses different SSL/TLS libraries, it doesn’t rely on OpenSSL but anyway also its implementation was affected by a critical vulnerability related to certificate-validation checks that could be abused by attackers to conduct a man-in-the-middle attack within the victim’s network  to capture or modify data even if protected by SSL/TLS.

In reality the checks were present in past versions, but they were not included in the recent version of the operating system for an unspecified amount of time. It must be also considered that Apple users with BlackBerry Messenger are vulnerable to Heartbleed vulnerability.
Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected,” an Apple spokesperson told Re/code.
And what’s about BlackBerry?
Blackberry has officially confirmed that a variety of its products were affected by the vulnerability including:
  • BBM for iOS and Android
  • Secure Work Space for iOS and Android
  • BlackBerry Link for Windows
  • BlackBerry Link for Mac OS

anyway according the company BlackBerry Smartphones neither BlackBerry Infrastructure aren’t affected by the flaw. According TheHackerNews security portal the overall number of affected users is nearly 80 million people, exactly the number of BlackBerry Messenger service users.

Pierluigi Paganini

(Security Affairs –  Heartbleed, mobile)

you might also like

leave a comment