So the version of OpenSSL is vulnerable to the Heartbleed bug, according to Bluebox. This is what Verizon tells me via chat:
Julissa: Thank you for waiting. The OpenSSL is part of the android device, as you can add and apps from third party sources or even your own apps. As long as you keep the Unknown Sources option turned off on your phone, there is not much risk
Julissa: You can find this option in Settings > Security & Screen Lock > Unknown Sources
Julissa: Great, the updates on the phone security are completed periodically. New bugs and risks pop up all the time and they are addressed with each update. I don't have a date on the next update on your phone, sorry about that.
Julissa: The biggest threat on a phone is from apps. Always make sure to check the ratings and comments from other users. As well as making sure it is a trusted developer.
I do not find this answer reassuring in the least.
Not what I heard on NPR. There's a specific app called the Bluebox Heartbleed Scanner that I ran on my phone. It says "Android OS OpenSSL version 1.0.1c" and that "this version is of OpenSSL is vulnerable." I don't believe that OpenSSL is limited to servers.
Wow, that's not good. The Heartbleed bug affects any device or computer running OpenSSL for secure connections. It can leak details about other users of the system. Until Verizon patches their web servers, DO NOT provide any sensitive data like credit card info, personal ID info, etc.
This is literally the worst bug the Internet has seen in years. That Verizon hasn't patched their servers yet is completely unconscionable.
Well, this article indicates that Android OS is OK except for 4.1.1. I've got 4.1.2. So maybe the Bluebox scanner is wrong? I am not sure I see how, because it's looking for the specific version of OpenSSL that is vulnerable. I assume the fix to this created a new version of OpenSSL.
Tarquin, I'm not saying that the Verizon servers are affected. This is just about the Android OS. I would bet that Verizon has addressed the issue on their web site, but it sure would be nice if they said something to that effect.
Now the Bluebox app won't launch, and their description at the app store says they apologize for any confusion with prior reports of devices being labeled as vulnerable (I assume when they weren't, which they don't actually say?). Confusion? Is it confusion when they get it wrong? How about not [removal required by the Verizon Wireless Terms of Service] around and saying you were wrong? I never got it to run in the "updated" state, but I'm thinking I don't want to. This is just great. Seems like a lot of programming hysteria around this bug. Just trying to do the right thing and be proactive. I think I'm going to let this one go and assume my Android is OK. Jeeze.