Heartbleed flaw present in millions of Android devices

The Heartbleed flaw, a hole in the OpenSSL software two-thirds of websites use to encrypt data, is also present in millions of Android devices, reports Ars Technica.

Mobile devices running version 4.1.1 of Google's Android OS are vulnerable to the flaw, which could enable an attacker to steal passwords, personal messages and other data out of the device's memory.

The Guardian newspaper estimates that there are 50 million vulnerable Android devices worldwide, four million in the U.S. alone.

In a blog, Google said that it has distributed a patch for the flaw in Android 4.1.1 to its partners.

"We will continue working closely with the security research and open source communities, as doing so is one of the best ways we know to keep our users safe," writes Matthew O'Connor, a product manager at Google.

"We've assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics and Tag Manager.  Google Chrome and Chrome OS are not affected. We are still working to patch some other Google service," says O'Connor.

Lookout Mobile says that "some versions of Android 4.2.2 that have been customized by the carriers or hardware manufacturers have also been found to be susceptible," Ars Technica notes.

For more:
- check out the Ars Technica article
- see The Guardian report
- read the Google blog

Related Articles:
Developer who introduced 'Heartbleed' OpenSSL bug speaks
Security vulnerability with its own logo and marketing: Did 'Heartbleed' backfire?
Details on Heartbleed bug, what the enterprise can do