The severity of the Heartbleed bug has led countless websites and servers scrambling to address the issue. And with good reason—a test conducted on Github showed that more than 600 of the top 10,000 sites (based on Alexa rankings) were vulnerable. At the time of the scanning, some of the affected sites included Yahoo, Flickr, OKCupid, Rolling Stone, and Ars Technica.
All the extended coverage of the flaw begs the question, “Are mobile devices affected by this?” The short answer: yes.
Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions. As our previous blog entry has shown, a sizable number of domains are affected by this vulnerability.
Suppose you’re just about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you. While you’re getting on with your game, your credit card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It’s as simple and easy as that.
What about apps that don’t offer in-app purchases? Are they safe from this vulnerability? Not really—as long as it connects to an online server, it’s still vulnerable, even if your credit card isn’t involved. For example, your app could ask you to ‘like’ them on a social network, or ‘follow’ them on yet another for free rewards.
Suppose you decide to do so, and tap ‘OK’. Chances are your app will open the website on their own, through their own in-app browser, and have you log into the social network there. While we’re not saying the social networks you go are vulnerable to the Heartbleed bug, the possibility is there, and thus the risk is there as well.
We looked deeper into the matter, and inspected some web services used by popular mobile apps and the results show that the vulnerability still exists.
We scanned around 390,000 apps from Google Play, and found around 1,300 apps connected to vulnerable servers. Among them are 15 bank-related apps, 39 online payment-related, and 10 are online shopping related. We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps–and most concerning, even mobile payment apps. These apps use sensitive personal and financial information—data mines just ripe for the cybercriminal’s picking.
What can be done against the Heartbleed bug, then? Not a whole lot, we’re afraid. We can tell you to change your password, but that’s not going to help if the app developers—and the web service providers as well—don’t fix the problem on their end. This means upgrading to the patched version of OpenSSL, or at least turning off the problematic heartbeat extension.
Until then, what we can advise you to do is to lay off the in-app purchases or any financial transactions for a while (including banking activities), until your favorite app’s developer releases a patch that does away with the vulnerability. We’ll keep you updated in the meantime as to all that’s happening with the Heartbleed bug.
Update as of April 11, 2014, 8:45 A.M. PDT
After doing a second round of scanning, we have found that around 7,000 apps are connected to vulnerable servers.
For other posts discussing the Heartbleed bug, check these other posts:
- Trend Micro Heartbleed Detector Now Available
- Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed
- Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M
- Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability