ITEM: If you were wondering if mobile apps are immune to the Heartbleed bug – they’re not.
A blog post from Veo Zhang, mobile threats analyst at Trend Micro, says that it has found that around 7,000 of the 390,000 apps scanned from Google Play are connected to servers vulnerable to the Heartbleed exploit, including 15 bank-related apps, 39 online payment-related apps, and 10 online-shopping related apps.
(Note: that number has been revised upwards a few times on Zhang’s blog to the current 7,000, so it’s possible that number could go up.)
Zhang says Trend Micro also found “several popular apps” that many people use on a daily basis, like instant messaging apps, health care apps, keyboard input apps and even mobile payment apps – all of which use sensitive personal and financial information.
The reason mobile apps are vulnerable to Heartbleed – which exploits a vulnerability in OpenSSL that potentially allows hackers to steal encryption keys from web servers and desktop software – is because they often connect to servers and web services to complete various functions, Zhang explains:
Suppose you’re just about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you. While you’re getting on with your game, your credit card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It’s as simple and easy as that.
Trend Micro adds that in-app purchases are just one example – even apps that just ask you to “like” them on a social network or follow them for free rewards could be vulnerable. Essentially, if it involves connecting to a vulnerable server, your app could be at risk.
What can you do about it? Not much, says Zhang:
We can tell you to change your password, but that’s not going to help if the app developers — and the web service providers as well — don’t fix the problem on their end. This means upgrading to the patched version of OpenSSL, or at least turning off the problematic heartbeat extension.
Until that happens, Trend Micro advises users to stop using in-app purchases or any financial transactions for a while on your mobile until the app developer releases a patch to fix the vulnerability.
In related news, CloudFare (which provides performance and security for websites) posted on Friday that while it is possible to use Heartbleed to steal private SSL keys – which would be the worst case scenario of this particular exploit – it takes a lot of effort to do so.
Note that it’s a pretty technical read. If you need something a little simpler, this xkcd cartoon may be just what you need.