Friday, 11 April 2014

Android 4.1.1 Devices are Vulnerable to Heartbleed


It's not just websites and routers that are vulnerable to the web-wide bug Heartbleed — certain Android models are at risk too.

As Google noted in its own Heartbleed disclosures on Wednesday, Android devices running Android 4.1.1 Jelly Bean are vulnerable to Heartbleed. Google said patching information is being distributed to its Android partners.

So how many phones are still running Android 4.1.1? That's difficult to determine. Although 34.4% of Android devices are running Android Jelly Bean, Google doesn't break out how what percentage of users are on its various versions — 4.1.1 and 4.1.2.

The latest version of Jelly Bean is 4.1.2, which was released in October 2012.

A Google spokesperson confirmed to Bloomberg that there are "millions" of devices running Android 4.1.1.

Because Android updates are controlled by phone manufacturers and wireless carriers, it can be challenging to determine what versions of Android are available for various devices. We do know, however, that the HTC One S is running Android 4.1.1.

Heartbleed underscores what has long been one of Android's biggest problems: pushing out software updates to its myriad vendors. Android updates are the responsibility of the device maker, and often need to be approved by wireless carriers. The only exceptions are Google-made devices, such as the Nexus series and Google Play Edition phones.

Previous attempts at getting phone manufacturers and carriers to adopt Android updates have not met with success. If there is a silver lining to Heartbleed, it is that this might scare device makers into pay more attention to versions (and to put in better processes for security updates).

If you know your Android device is running Android 4.1.1, let us know the model and manufacturer in the comments, along with your wireless carrier. That will give us all a better sense of which companies are falling behind in the battle to patch Heartbleed.