a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by user-inactivated
user-inactivated  ·  3160 days ago  ·  link  ·    ·  parent  ·  post: 29% of Android devices can’t be patched by Google – Naked Security

    You might recall that ZDNet’s Adrian Kingsley-Hughes bestowed this memorable and burbly description on Google’s mobile operating system two years ago, when Android device vendors were lagging in patching vulnerabilities such as Heartbleed on their devices.

Uhhhhhh.... who cares?

This is one of my pet peeves about security vulnerabilities. It seems that nobody actually has a formal way of describing what devices get impacted and how they get impacted by certain vulnerabilities, just the severity level which for Heartbleed was obviously critical.

Did/do Android devices use OpenSSL? Yes. Do they have the code that is responsible for Heartbleed on them? Yes. Does Android ever call those lines of code? NO, unless you are doing something really weird with your phone (and it would likely require you to root it to do that weird thing).

Heartbleed exploits the SSL Heartbeat command and requires you to have an open port to exploit. Heartbleed only affects SSL servers, not clients. If your Android phone is unpatched for Heartbleed it doesn't matter, because you are only using your phone as an SSL client. Most vendors probably thought, "Who cares? Let's patch our datacenters which are actually vulnerable to attack." The only way I can imagine you getting affected by Heartbleed is if you were running your Android phone as a security camera connected to the open internet with a port forwarded through your router. The port forwarded through your router part is crucial, because most people use the various Android apps to do home security cameras which sends your camera footage through the internet as an SSL client, since port forwarding on routers is such a PITA for the average person.

Yes there are problems with unpatched phones and especially Android ones, but you can't treat every vulnerability equally, even critical ones. Heartbleed didn't affect 99.9% of Android phones, so who cares.

Think of it like having IE5 installed on your computer. Is it vulnerable? Yes. Are you using it? If you're running Firefox or Chrome, the vulnerable code is on your computer but not running or exploitable, much like the code behind Heartbleed on phones.