Millions of android devices vulnerable to heartbleed bug

As Google said in its own Heartbleed disclosures on 9 april that Android devices running Android 4.1.1 Jelly Bean are vulnerable to Heartbleed. Google said patching information is being distributed to its Android partners.

So how many phones are still running Android 4.1.1? That’s difficult to determine. Although 34.4% of Android devices are running Android Jelly Bean, Google doesn’t break out how what percentage of users are on its various versions — 4.1.1 and 4.1.2.

The latest version of Jelly Bean is 4.1.2, which was released in October 2012.

A Google spokesperson confirmed to Bloomberg that there are “millions” of devices running Android 4.1.1.

Because Android updates are controlled by phone manufacturers and wireless carriers, it can be challenging to determine what versions of Android are available for various devices. We do know, however, that the HTC One S is running Android 4.1.1.

Heartbleed underscores what has long been one of Android’s biggest problems: pushing out software updates to its myriad vendors. Android updates are the responsibility of the device maker, and often need to be approved by wireless carriers. The only exceptions are Google-made devices, such as the Nexus series and Google Play Edition phones.

Previous attempts at getting phone manufacturers and carriers to adopt Android updates have not met with success. If there is a silver lining to Heartbleed, it is that this might scare device makers into pay more attention to versions (and to put in better processes for security updates).

Sources:

1. Google Online security blog
2. Bloomberg.com
3. Mashable.com