HTC tops list of manufacturers with Heartbleed-vulnerable smartphones, says Lookout

HTC produces the three most popular Android smartphones vulnerable to the Heartbleed bug--the HTC Evo, One S and One X--according to data compiled by security firm Lookout from 100,000 Heartbleed Detector users.

As FierceMobileIT reported last week, there could be as many as 50 million Android smartphones vulnerable to the Heartbleed flaw, which could enable an attacker to steal passwords, personal messages and other sensitive data out of the device's memory.

Most of the vulnerable smartphones are running Android 4.1.1 (JellyBean), but some are running 4.22, explains Lookout in a SlideShare presentation. In addition to the HTC smartphones, the Motorola AR TIX HD is one of the most vulnerable devices

Lookout estimates that 3.4 percent of Android users in the U.S. are running OpenSSL versions vulnerable to Heartbleed.

The security firm explains that Android smartphones are vulnerable through "reverse" Heartbleed. "Most people are talking about Heartbleed, where a malicious client steals data from a vulnerable server. But it works in reverse as well. A malicious server could steal data from a vulnerable client, such as your Android phone."  

The security firm explains that iOS devices are not vulnerable to Heartbleed because Apple does not ship iOS with OpenSSL.

Chris Nerney with CiteWorld blames the high number of devices susceptible to the security flaw on the "disastrously slow" Android update process. Users running the vulnerable Jelly Bean operating system "must rely on an Android partner distribution system that has upgraded KitKat at the scorching pace of 1% of devices per month. It's a terribly inefficient system that not only frustrates and confuses users, but makes IT professionals leery of supporting Android and its seemingly infinite versions."

Nerney adds: "Both hardware manufacturers such as Samsung and HTC and major carriers stand between Android updates and users. Any new version of Android must run a gauntlet of customization by handset makers and telcos before being distributed to users, a process that can take months."

This might explain why HTC smartphones are the most vulnerable to Heartbleed, according to the Lookout data.

For more:
- read the Lookout blog
- check out Nerney's CiteWorld article

Related Articles:
Mounties get their man: Heartbleed breach suspect arrested
Heartbleed underscores need for open source bug bounties
Heartbleed flaw present in millions of Android devices