android-heartbleed

Researchers said on Tuesday that many Android applications are susceptible to the Heartbleed bug, which can allow hackers and government officials to gather data from online services, despite assurances that most Android users aren’t at risk.

The researchers say these applications are vulnerable because their developers used their own OpenSSL libraries instead of relying on the library included in Android itself. (Funnily enough, some apps were protected because a coding error made them use Android’s library.) The affected applications are said to have been downloaded a cumulative 150 million times.

These apps will have to be updated with a new version of the OpenSSL library to remove the bug. Unfortunately, many of the apps claiming to detect Heartbleed vulnerabilities fail to identify the affected applications. It’s up to developers to warn their users about the bug. The researchers say many have already fixed their software, as the number of affected users fell from 220 million to 150 million just one week after they first noticed the issue.

This isn’t the first time Heartbleed has wounded Android users. Google previously revealed that millions of users stuck with an old version of the operating system are vulnerable to the bug, and that it is up to manufacturers to update their smartphones to newer versions of Android. Those updates won’t be coming any time soon: manufacturers have left these consumers with this version of Android for the last two years.

The good news is that most apps aren’t vulnerable to the bug, so long as they’re using the OpenSSL library included in newer versions of Android, and developers seem to be committed to protecting their users. That’s just about the only good thing about the researcher’s findings — besides that, it’s just more digital blood spilled by this historic security vulnerability.

Pando weighs in

explored how small mistakes can have enormous consequences on the modern Web:

Finding these errors would be like finding a typo in “Infinite Jest” – it’s not going to be easy unless you know just what you’re looking for.

But the ramifications of these mistakes aren’t quite so minuscule. Hundreds of millions of people rely on Apple’s products to browse the Web. Even more interact with a large number of websites that use OpenSSL. It’s impossible to know how many people have been affected by these mistakes, but the threat itself has been enough to put security experts on high alert.

That’s the truth of Internet security. All it takes is for a team of professionals to miss two words, or for two unpaid volunteers to miss a “quite trivial” mistake in a widely-used utility, for the privacy of essentially everyone who uses the Internet to be threatened. Welcome to the Web, where a single misplaced strand can cause a disaster few will notice until years later.

This led me to wonder why Internet security is entrusted to people working in their spare time:

It’s time for Internet security to be handled by people who can afford to devote their entire lives to it, not people who in their spare time are forced to carry “an enormous burden” that affects basically anyone who uses the Internet. We wouldn’t force the doctors charged with handling real heart attacks to operate on donations or in their spare time — why delegate the task of preserving the health of the Internet to people asked to work that way?

And finally, I wrote about the problem many consumers will face when trying to defend their privacy after Google revealed that millions of Android smartphones are affected by the bug:

The discovery follows reports that the Heartbleed bug has been found in Wi-Fi routers from Cisco and Juniper Systems. The fix for that problem, according to one security expert, is going to involve “a trash can, a credit card, and a trip to Best Buy.” There’s little else people can do.

These warnings demonstrate the Heartbleed bug’s lasting impact. Large companies can and have fixed their websites or updated their infrastructure to protect their users’ information. But when consumers are using devices that have long since been abandoned by their creators or are difficult to upgrade, the only recourse seems to be either living with the possibility of being affected by Heartbleed or upgrading to new hardware unaffected by the vulnerability.