There’s no doubt that Heartbleed Internet has shaken up the internet security community and thrown a big challenge to companies and users alike.
Heartbleed, a vulnerability in the OpenSSL software library allows an attacker to steal data directly from the memory space of an application. It taps into heartbeats that an SSL/TLS connection produces and any attacker could learn the private keys used to keep data securely encrypted as it travels over the Internet. As soon as word got out the major companies were ready with update version that plugged the bug, but the scale of Heartbleed-affected websites is humungous. As much as two-thirds of the Web is said to be affected, given how popular SSL encryption is. In fact, even mobile apps have built in encryption so that you can log in safely. So naturally mobile devices will also be affected. Apple has said its iOS is safe from HeartBleed-based attacks, but that’s not the case with all Android devices.
Google has said that nearly all versions of AOSP from 4.1 and up contain vulnerable versions of OpenSSL, but all except one had heartbeats turned off, so no one could attack these systems. Only Android 4.1.1 had the heartbeat feature turned on, so those devices are vulnerable. Moreover, some OEMs may have switched heartbeat feature back on in their phone’s software, which leaves them vulnerable too. So how does one check if your phone or any of the apps on it can fall prey to a HeartBleed attack?
Security software company Bluebox has released a Heartbleed Scanner on the Google Play Store, which will quickly check whether your device is safe or not. If you recall, Bluebox had also stepped in with a similar tool after announcing the discovery of the major ‘Master Key’ Android vulnerability. The Bluebox Heartbleed Scanner can look for apps installed on your device that have bundled their own version of OpenSSL and checks the version of the library and whether heartbeat is enabled.
It’s important that if you find any apps that do show a vulnerability, then you report it on the Play Store in the app’s review section and also shoot off an email to the developers. The emails are provided in the Play Store listing. You can continue using an app which is shown as vulnerable, though your data might not be all that secure, now that HeartBleed technique has hit the news and anyone can try to break in.