The Internet security world mobilized to tackle the Heartbleed software bug. But although most of the holes have been patched, a big one remains: Millions of smartphones still operate on Android version 4.1.1, which remains vulnerable to hackers exploiting a design flaw in the bedrock encryption software OpenSSL. It’s a good time to check what your phone is running.
The bug and its repairs were announced on April 7. A week later, however, phones and tablets running on Android 4.1.1 remain at risk. More than a third of the 900 million mobile devices running Android use the 4.1 “Jellybean” version, which Google (GOOG) released in mid-2012. Version 4.2 replaced the 4.1 variations later that year.
The company says less than 10 percent of active Android devices are vulnerable to the Heartbleed flaw. That still means millions of people have a device that remains unprotected, as our colleagues at Bloomberg News report. “The device manufacturers and the carriers need to do something with the patch, and that’s usually a really long process,” Michael Shaulov, chief executive and co-founder of Lacoon Security, tells Bloomberg. To date, hackers have mostly focused their efforts on servers using OpenSSL protocols and not on individual devices. Such a labor-intensive effort would require targeting each phone or tablet separately to exploit the bug and potentially steal data.
Still, it’s best not to give them the option. BlackBerry (BBRY) plans to release Heartbleed security updates for two of its products: BBM messaging for Android and Apple’s (AAPL) IOS and its Secure Work Space corporate e-mail software.