It’s a good thing the Heartbleed OpenSSL bug, which allows the theft of encrypted data, only affects Android devices running an old version of Jelly Bean that hardly anyone uses.
Turns out that Android 4.1, released in July 2012, is running on more than one-third of all active Android devices, making it the most-used version of Google’s open source mobile OS.
As of April 1, 34.4% of active Android devices were running 4.1.x, the oldest of the three major versions of Jelly Bean. Of those, Google hasn't disclosed how many are running 4.1.1 -- the version affected by Heartbleed -- except to say that it's less than 10%. Reporter Charles Arthur of The Guardian has run some numbers that suggest it's running on perhaps 50 million devices. [Update: these numbers have been corrected from the original post.]*
And KitKat? The “new” version of Android (4.4), released on Halloween, or more than five months ago, currently is active on only 5.3% of Android devices.
Google also assures customers that “patching information for Android 4.1.1 is being distributed to Android partners.”
And therein lies the problem.
The Heartbleed bug and patch were announced simultaneously on April 7 by Google and Finland-based Codenomicon. It has been called catastrophic because about two-thirds of Internet sites use OpenSSL encryption. Millions of sites immediately began applying the patch, while Google also moved quickly to patch a number of its services, including Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics, and Tag Manager.
But Android owners running the first version of Jelly Bean must rely on an Android partner distribution system that has upgraded KitKat at the scorching pace of 1% of devices per month. It’s a terribly inefficient system that not only frustrates and confuses users, but makes IT professionals leery of supporting Android and its seemingly infinite versions.
Both hardware manufacturers such as Samsung and HTC and major carriers stand between Android updates and users. Any new version of Android must run a gauntlet of customization by handset makers and telcos before being distributed to users, a process that can take months.
It would be nice to assume that patches and fixes for serious flaws would be handled in a more expeditious fashion. It’s great Verizon on Saturday told Bloomberg that “we are working with our device manufacturers to test and deploy patches to any affected device on our network running Android 4.1.1,” but is that going to take days or weeks?
Meanwhile, Sprint said today it is “working with Google to receive the patch required to remedy the problem.” Again, when does “working with” become “we’ve issued the fix for Heartbleed”? As for AT&T, it posted information about Heartbleed in a blog last Friday, but has since made no mention of patching Android devices.
If you’re wondering whether your Android device is affected by Heartbleed, you can download an app from mobile security vendor Lookout that will let you know.