Android Update Patches OpenSSL Bug

News
By published

An Android update patches a significant OpenSSL flaw, making Android devices much safer from potential security breaches.

Thanks to a minor system update, Android users can now rest a bit easier. Android version 4.4.4 patches an exploitable OpenSSL flaw, making mobile devices much safer from potential security breaches.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

Only Google's own Nexus devices have access to the update at present, which Nexus owners can either download from the Google Developers page or wait until it hits their devices automatically within the next few weeks. In our own tests, we found that a Nexus 10 had not yet received the update, and did not find it when we prompted it to search.

Android 4.4.4 addresses a vulnerability in the OpenSSL protocol. In layman's terms, OpenSSL is a common method that websites and programs use to encrypt user information. A security flaw dubbed CVE-2014-0224 was able to exploit a piece of OpenSSL code that allowed it to decrypt user information while it was in transit online between the user and the receiving party. The new Android update will render that particular bug moot.

According to Sascha Prüter, an Android engineer at Google, the update will also address a number of other minor security concerns. Android developers can expect to see an open source version of the code within the next two days.

All in all, 4.4.4 is not the most exciting update you'll ever install on your Android device, but it may help keep you safe when the next big security breach hits. Those who don't have Nexus devices will have to wait, though. Generally, mobile providers wait much longer than Google to provide Android updates, and for older phones, they may not provide updates at all.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

Marshall Honorof
Marshall Honorof

Marshall Honorof was a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.

1 Comment Comment from the forums
  • house70
    "All in all, 4.4.4 is not the most exciting update you'll ever install on your Android device, but it may help keep you safe when the next big security breach hits. Those who don't have Nexus devices will have to wait, though. Generally, mobile providers wait much longer than Google to provide Android updates, and for older phones, they may not provide updates at all."

    Actually, this could not be further from the truth. OEMs implement their own proprietary kernels, so some exploits might be valid for some devices while other devices are immune from same exploits. Google HAD to go up on their own AOSP-based kernel, since it involves a kernel modification. Other manufacturers might not have to do the same, and it would not be the first time that while some devices were vulnerable, others were immune. IMO, 4.4.4 just includes a couple security features ommited from 4.4.3.
    Last but not least GPE devices have received any/all applicable updates within a couple weeks from Nexus devices.
    Can't really have great expectations from a website that missed the release of 4.4.3 completely, like it never happened (let alone publishing any change-logs or anything pertaining to the subject). If you want to keep up with Android news this is not the best place to be. iOS, however, is extensively covered . To each his/her own.
    Reply