Community Forums - Heartbleed bug

norabella · ‎04-09-2014

So the version of OpenSSL is vulnerable to the Heartbleed bug, according to Bluebox. This is what Verizon tells me via chat:

Julissa: Thank you for waiting. The OpenSSL is part of the android device, as you can add and apps from third party sources or even your own apps. As long as you keep the Unknown Sources option turned off on your phone, there is not much risk

Julissa: You can find this option in Settings > Security & Screen Lock > Unknown Sources

Julissa: Great, the updates on the phone security are completed periodically. New bugs and risks pop up all the time and they are addressed with each update. I don't have a date on the next update on your phone, sorry about that.

Julissa: The biggest threat on a phone is from apps. Always make sure to check the ratings and comments from other users. As well as making sure it is a trusted developer.

I do not find this answer reassuring in the least.

lando13 · ‎04-09-2014

The vulnerability is on servers not phones. So, I don't think you have to worry about this. Unless you have a server running android, you're good.

norabella · ‎04-09-2014

Not what I heard on NPR. There's a specific app called the Bluebox Heartbleed Scanner that I ran on my phone. It says "Android OS OpenSSL version 1.0.1c" and that "this version is of OpenSSL is vulnerable." I don't believe that OpenSSL is limited to servers.

Ann154 · ‎04-09-2014

http://www.androidcentral.com/google-updates-back-end-light-heartbleed-vulnerability

I'm most definitely NOT a VZW employee. If a post answered your question, please mark it as the answer.

TheTarquin · ‎04-09-2014

Wow, that's not good. The Heartbleed bug affects any device or computer running OpenSSL for secure connections. It can leak details about other users of the system. Until Verizon patches their web servers, DO NOT provide any sensitive data like credit card info, personal ID info, etc.

This is literally the worst bug the Internet has seen in years. That Verizon hasn't patched their servers yet is completely unconscionable.

norabella · ‎04-10-2014

Well, this article indicates that Android OS is OK except for 4.1.1. I've got 4.1.2. So maybe the Bluebox scanner is wrong? I am not sure I see how, because it's looking for the specific version of OpenSSL that is vulnerable. I assume the fix to this created a new version of OpenSSL.

norabella · ‎04-10-2014

Tarquin, I'm not saying that the Verizon servers are affected. This is just about the Android OS. I would bet that Verizon has addressed the issue on their web site, but it sure would be nice if they said something to that effect.

norabella · ‎04-10-2014

Now the Bluebox app won't launch, and their description at the app store says they apologize for any confusion with prior reports of devices being labeled as vulnerable (I assume when they weren't, which they don't actually say?). Confusion? Is it confusion when they get it wrong? How about not [removal required by the Verizon Wireless Terms of Service] around and saying you were wrong? I never got it to run in the "updated" state, but I'm thinking I don't want to. This is just great. Seems like a lot of programming hysteria around this bug. Just trying to do the right thing and be proactive. I think I'm going to let this one go and assume my Android is OK. Jeeze.

norabella · ‎04-10-2014

Ha ha ha! I got a word censored! Apparently one should not discuss the feet of felines on this site. Hee hee hee.

hearmenow · ‎04-11-2014

Apps aren't the problem. It's whether or not they've patched their server. I'm not reassured, either. Julissa doesn't know what she's talking about.

Discussions

Mobile

5G / LTE Home Internet

Fios

Accessories

Entertainment

Level Up

Help

Tutorials

Archives

Android

Add thoughts to the community

Browse discussions within categories