Securing Mobile Data Wherever It GoesHeartbleed Bug Impacts Mobile Devices
Another SSL vulnerability has been disclosed and released to the public. This one is referenced as CVE-2014-0160 or as it is commonly be called the Heartbleed bug due the leaking of information from heartbeat messages an SSL/TLS connection produces. We won’t go into the details of the bug, but if you are interested, the website http://heartbleed.com/ has an excellent writeup. It affects both clients and servers.
OpenSSL security advisory: https://www.openssl.org/news/secadv_20140407.txt
How does this relate to mobile devices? Well the OpenSSL library that is embedded into Android devices can be vulnerable. We looked at multiple Android versions that have been released and were able to see vulnerable uses in the AOSP source code. One word of warning: while AOSP code may reflect the vulnerability or non-vulnerability to Heartbleed bug, Android is open to manufacturers changing the code and configurations. Additionally, the issue of being vulnerable is a two step check, the first step is to check the version of OpenSSL embedded into the Android OS. The second check is determine the build configuration options. If the version of OpenSSL is vulnerable, but the build config disables heartbeats (-DOPENSSL_NO_HEARTBEATS) then the heartbeats are disabled and the build is not vulnerable.
We checked the AOSP source versions from the latest KitKat release down to Ice Cream Sandwich. Android versions prior to ICS are running an old enough version of OpenSSL that they are not vulnerable to this bug. Overall, while all of the iterative versions from Jelly Bean to KitKat are running a vulnerable version of OpenSSL they all disable heartbeat messaging, except for Android 4.1.1. It seems 4.1.1 is truly vulnerable to Heartbleed since it is running a vulnerable version of OpenSSL and does not disable heartbeats.
From our analysis we determined the following:
|
AOSP Version |
OpenSSL Version |
Vulnerable OpenSSL Version |
Heartbeats Disabled |
Overall Vulnerable |
|
4.4.2_r2 |
1.0.1e |
yes |
yes |
no |
|
4.4.2_r1 |
1.0.1e |
yes |
yes |
no |
|
4.4 |
1.0.1e |
yes |
yes |
no |
|
4.3 |
1.0.1e |
yes |
yes |
no |
|
4.2.2 |
1.0.1c |
yes |
yes |
no |
|
4.2 |
1.0.1c |
yes |
yes |
no |
|
4.1.2 |
1.0.1c |
yes |
yes |
no |
|
4.1.1 |
1.0.1c |
yes |
no |
yes |
|
4.0.4 |
1.0.0e |
no |
n/a |
no |
Additionally, while we have the Android OS version of OpenSSL to worry about we must also be cognizant that Android developers can bundle their own separate version of OpenSSL with their apps. The versions contained within these apps could also be vulnerable.
Bluebox has released a tool into the Google Play store called Heartbleed Scanner. The application will scan your device and recognize if your are running a vulnerable version of OpenSSL. We currently only recognize the version reported back from OpenSSL to check for possible vulnerability. Additionally we scan all of the applications on your device and present you with ones that contain their own openssl library — you should follow up with those app developers to confirm they are using a safe version of OpenSSL.
If you are concerned about the vulnerability of your device and apps then please run our scanner and then contact the manufacturer of your device and/or the developer of your apps to see if the version of OpenSSL is vulnerable.
Play Store link: https://play.google.com/store/apps/details?id=com.bblabs.heartbleedscanner
