The Heartbleed vulnerability is receding a bit from the headlines. Earlier in the month, however, it was at the center of news as no other Internet-based security issue has been for the past few years.
The danger is far from over, however. Dark Reading reports that security firm FireEye points to ongoing danger. 150 million downloaded Android apps still can be affected by the OpenSSL vulnerability, based on scans of more than 54,000 apps that have been downloaded from Google Play more than 100,000 times.
The story says that about 70 million Android apps that were vulnerable have been patched. Without directly saying so, the story does a good job of pointing to the challenges of Android fragmentation. The bottom line is that there are many different versions of the Android OS and a lot of applications built for each. Determining where the danger lies isn’t necessarily easy:
How can Android users know which apps are still vulnerable? In general, anyone using a version of Android that isn’t 4.1.0 or 4.1.1 won’t be vulnerable, at least from an operating system standpoint. But vulnerable apps might still be running on the device, and there’s no clear-cut, reliable way to inventory or scan them all.
Know Your Mobile reported on the FireEye research and added two important items. The story says Look Mobile Security found that a small number of users of Android 4.2.2 also are affected, probably custom versions. The story also looks at nascent efforts to keep the situation from recurring.
This Digital Trends piece uses Heartbleed as a jumping off point for a discussion of different types of passwords and why they are important: Good passwords can’t prevent the next Heartbleed, but can keep the people who use them out of harm’s way.
The story, by Matt Behrens, has a very plain-spoken explanation of what Heartbleed did:
The Heartbleed bug allowed attackers to peel back the snoop-resistant lining of OpenSSL and peek at the communications between client and server. This gave hackers a look at things like passwords and session cookies, which are small pieces of data that the server sends you after you log in and your browser sends back every time you do something in order to prove it’s you. And if the bug affected a financial site, other sensitive information you were passing through the Net, like credit card or tax info, may have been seen.
Once bitten, twice shy, at least according to the Know Your Mobile story. It says that a better approach than OpenSSL is being developed. LibreSSL, which was unveiled by the developers of the OpenBSD operating system last week, promises to “strip away much of the clumsy, flawed and unnecessary code from OpenSSL to offer a slicker, more secure form of encryption.”
Matthew Goche and Trevor Christiansen mentioned Heartbleed in a discussion at Forbes of the keys to creating secure applications. They write that the code of the app must be reviewed, it must undergo security testing, the authors of the code should have security training and, in general, good security practices must be followed.