How many mobile Users could be affected by Heartbleed flaw?

Heartbleed is the security flaw that is scaring IT industry, which is its impact on the mobile worlds? How many Smartphone Users could be affected?

Heartbleed flaw is the argument that most of all is capturing the attention of the media in this period, billions of users worldwide have been impacted, there are thousands solutions affected by the vulnerability. Just yesterday I wrote about the impact of Heartbleed vulnerability publicly disclosed by two giants of the IT, CISCO and BlackBerry, which informed their customers that different solution are affected by the threatening flaw. As reported by many sources, the Heartbleed has a significant impact also on mobile users unaware of the incumbent threat. Numerous servers were exposed to serious risks due Heartbleed flaw, same servers are accessed by mobile user enlarging the surface of exposure caused by the flaw in the OpenSSL library. Let’s consider the Android platform, Google issued a specific blog post to reassure its users highlighting that Android OS was not vulnerable to the Heartbleed bug, except for a single version as explained in the following statement:

“Android – All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners). We will continue working closely with the security research and open source communities, as doing so is one of the best ways we know to keep our users safe.”

Google anyway has promptly released the security patches for Android 4.1.1 which are being distributed among its partners.

But the version mentioned by Google, the Android 4.1.1 Jelly Bean, is probably today the most widespread version (34.4% of the Android devices, which means that at least 344 Millions of mobile suffer the vulnerability) and it uses the vulnerable version of OpenSSL.

Are you an Apple user?

Apple uses different SSL/TLS libraries, it doesn’t rely on OpenSSL but anyway also its implementation was affected by a critical vulnerability related to certificate-validation checks that could be abused by attackers to conduct a man-in-the-middle attack within the victim’s network to capture or modify data even if protected by SSL/TLS.

In reality the checks were present in past versions, but they were not included in the recent version of the operating system for an unspecified amount of time. It must be also considered that Apple users with BlackBerry Messenger are vulnerable to Heartbleed vulnerability.

“Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected,” an Apple spokesperson told Re/code.

And what’s about BlackBerry?

Blackberry has officially confirmed that a variety of its products were affected by the vulnerability including:

BBM for iOS and Android
Secure Work Space for iOS and Android
BlackBerry Link for Windows
BlackBerry Link for Mac OS

anyway according the company BlackBerry Smartphones neither BlackBerry Infrastructure aren’t affected by the flaw. According TheHackerNews security portal the overall number of affected users is nearly 80 million people, exactly the number of BlackBerry Messenger service users.

Pierluigi Paganini

(Security Affairs – Heartbleed, mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.