Did you think that because you had an Android phone you weren't vulnerable to the Heartbleed security flaw? Think again. The Guardian reported that 4 million Androids in the United States could be at risk. Worldwide, the number of smartphones running Android that are affected jumps to tens of millions.
Google announced this figure to be an estimated 50 million devices, stating that any Android phone running version 4.1.1 of Jelly Bean is threatened. But how did they come up with this number? Chitka, an analytics firm, provided the data to The Guardian to be calculated. The problem isn't as bad as initially stated, when it was said hundreds of millions of devices were at risk. The reason: most of them run the more secure 4.1.2.
How Bad Is It?
Google has downplayed the number of devices that are vulnerable, reporting the number to be less than 10 percent of all devices that have been activated all over the globe. However, Google has activated 900 million smartphones worldwide, which means 10 percent is a lot more than a mere handful. What's more, hundreds of millions of Android smartphones in China don't rely on Google services, so they aren't even included in this list.
Chitka compiled its data by monitoring network traffic over the course of a week (April 7th to April 13th, to be precise). They found that 19 percent of Android 4.1 traffic was users on the 4.1.1 version, while 81 percent were running 4.1.2. Less than 0.1 percent were running 4.1.0. This data was then compared against data compiled by Comscore, which says there are currently 85 million Android phones actively used here in the United States. After the simple calculation, that means there are at the minimum 4 million phones vulnerable to the security risk.
These 4 million phones could be subject to what is called 'reverse Heartbleed.' Essentially, a malicious server, stealing browser data that might include sensitive login data, would compromise the flaw that exists in OpenSSL. The announcement, while theoretical, is an effort to convince those running older Jelly Bean versions to push for updates. Currently, manufacturers and networks don't provide users updates for their Android devices until 18 months after it has been released. Google has fought to change this, but to no avail.
The issue here is that the devices affected by this vulnerability are actually further than these 18 months. Google responded, saying that they've provided a software fix to the manufacturers, and the ball is in their court. Will they just let the ball lie there, or will they do something with it? This is unclear.
iOS users can breathe a collective sigh of relief – Apple does not rely on the vulnerable version of OpenSSL on either the iPhone or the iPad. The same can be said of the Windows phone and Windows, according to Microsoft.
Wondering if your Android phone is at risk? Check out a downloadable app provided by security company Lookout. It allows you to check your device to see if it is in the clear. According to Lookout's principal security researcher, Marc Rogers, over 80 percent of those using Android 4.1.1 that have used the app to check are indeed affected. In Germany, the risk is five times greater, since the most popular Android smartphone runs 4.1.1.
The good news: there hasn't been any indication that hackers have taken advantage of this vulnerability. Each device would have to be hit one at a time, so experts believe there is a chance to solve the problem before the vulnerability moves from servers to handsets.
Do you run Android 4.1.1?