Heartbleed threatens mobile users
As time passes, it becomes more and more obvious that almost no-one is safe from the danger created by the existence of the OpenSSL Heartbleed bug.
In the days after the public disclosure of the bug, Google made it known that only Android version 4.1.1 was vulnerable.
It was later explained that nearly all Android versions from 4.1 and up contain vulnerable versions of OpenSSL, but that all except version 4.1.1 had the “heartbeats” function turned off and, therefore, aren’t vulnerable.
Google has begun distributing patching information for Android 4.1.1 to Android partners almost immediately, but it’s a well known fact that many manufacturers and carriers are not fast when it comes to pushing out Android updates.
The statistics provided by Google say that nearly one billion people around the world use Android 4.1.1, and that a part of them can’t upgrade to a newer, not vulnerable version because the devices they user are simply too old.
The manufacturers of these devices are currently working on implementing the security patch issued by Google so that they could offer it to those customers.
To check whether your Android device is vulnerable, you can use Lookout’s Heartbleed Detector app.
Users of devices running Apple’s iOS are safe, as the company has stated that ” iOS and OS X never incorporated the vulnerable software, and key Web-based services were not affected.”
Microsoft’s Windows Phone also does not use OpenSSL. BlackBerry said that its smartphones are not affected, but has announced that it will soon roll out a patch for its BlackBerry Messenger app for Android and iOS.
Digital Trends has a good overview of popular apps affected by the vulnerability and whether they have been fixed or not.
They also warned that many apps use in-app payment systems powered by Apple, Google or Microsoft (depending on the OS), and that Google’s in-app payment system was affected by the bug, but has since been fixed. Users are, therefore, advised to change their Google/Android password.
Mobile security company Bluebox has also made available Heartbleed Scanner, an Android app that will scan your device and recognize if your are running a vulnerable version of OpenSSL, as well as scan all of the applications on your device and present you with ones that contain their own openssl library.
Late last week, Trend Micro researchers scanned around 390,000 apps from Google Play, and found that some 7,000 apps are connected to vulnerable servers. Among these were also bank-related, payment-related and online shopping-related apps.
The researchers noted that the users themselves can’t do much about this aside from pestering the developers of vulnerable apps to upgrade to the patched version of OpenSSL or turn off the heartbeats extension.
“Until then, what we can advise you to do is to lay off the in-app purchases or any financial transactions for a while (including banking activities),” they concluded.