Hacker News new | ask | show | jobs
by 0x0 4449 days ago
Are Android or iOS affected? Android seems to ship openssl 1.0.

Could a malicious server attack clients? Perhaps expose a browser's cookie jar or other saved passwords in memory?

The number of installed openssl clients across all devices and computers must be quite large.
3 comments
lxgr 4448 days ago
It seems that Android has dodged this bullet by compiling OpenSSL with NO_HEARTBEATS: https://twitter.com/agl__/status/453472368589942785
link
welder 4449 days ago
Yes, the vulnerable code is used by both client and server so any client using openssl is affected.
link
biafra 4448 days ago
Which parts of Android really use OpenSSL to do TLS with this heartbeat feature enabled?

The browsers? All Apps running on Dalvik? All apps running on ART?

link
hrrsn 4449 days ago
OpenSSL doesn't seem to be installed on my jailbroken iPhone.
link