By now, you’ve heard of Heartbleed. You’ve heard that this bug can be exploited to allow hackers to gain sensitive information from well-known services, many of which are still in the process of being patched. Just this morning, after days of outages, the Canadian Revenue Agency said that it has been subject to data theft from Heartbleed, likely between the time the bug was made public and the time the government decided to shut down its databases.
Bluebox, a security company, has done considerable work auditing Android versions from Ice Cream Sandwich and later (the OpenSSL bug that causes Heartbleed was only implemented after the release of Android 4.0, so Gingerbread and older are actually safe). They found that Android 4.1.1 is the only version inherently exposed to the SSL bug, as it implements both the insecure OpenSSL and heartbeats, which are disabled in subsequent releases.