Heartbleed risk for Android devices: How to check if you’re affected
If you own an Android device, your data may be vulnerable to the Heartbleed bug, and more information now details how you can check whether you're at risk.
The Heartbleed bug has thrown a grenade onto the Internet security community, posing a huge threat to companies and users alike. For those of you unfamiliar with the issue, Heartbleed is a vulnerability in the openSSL software library, allowing hackers to steal sensitive data directly from the memory space of an application. The SSL/TLS connection produces heartbeats that the bug infiltrates, allowing attackers to learn the private keys that should keep data securely encrypted as it moves over the Internet.
Major companies started to update their software to patch the bug as soon as the issue surfaced, but the Heartbleed bug affected a huge amount of websites and the potential damage is still of great proportions. Considering how popular SSL encryption is, researchers believe the bug affected as much as two-thirds of the Web, including mobile devices.
Apple, on its part, said that its iOS platform was not vulnerable to Heartbleed-based attacks, but things are quite different with Android devices. According to Google, vulnerable versions of openSSL are present in nearly all versions of AOSP from 4.1 and up. All except one had heartbeats turned off, however, which means that the risk is not that great. Android 4.1.1 is the only version that had the heartbeat feature turned on, leaving only devices running this version vulnerable to Heartbleed-based attacks.
On the other hand, if OEMs have switched the heartbeat feature back on within their device's software, those devices would be vulnerable as well. Thanks to newly-released information, now you can check whether your device or any of the apps installed on it are vulnerable to a Heartbleed attack.
Security company Bluebox has launched a Heartbleed Scanner app on the Google Play store, which is designed to run a quick check and determine whether your device is vulnerable or not.
"If you are concerned about the vulnerability of your device and apps then please run our scanner and then contact the manufacturer of your device and/or the developer of your apps to see if the version of OpenSSL is vulnerable," Bluebox explains.
The Bluebox Heartbleed Scanner can look for apps installed on your phone and see if they've bundled their own version of openSSL. The app will also check the version of the library and see whether heartbeat was enabled. If the scan finds any apps that show vulnerabilities, you can report them on the Google Play store and send an email to the app's developers (you can find the email addresses in the Play store listing). It is advisable to stop using the app that is found as vulnerable, as it may compromise your data. To run a quick scan and see whether your Android device is at risk, head over to the Google Play store at this link and get the Bluebox Heartbleed Scanner.