The Heartbleed Bug has rocked the IT world recently. It’s been all over forums, blogs and has received significant coverage by news outlets. It should, it’s a pretty serious flaw, and one that appears to be nearly impossible to quantify its potential affect.
We won’t go into a deep analysis of the flaw on our blog, but if you aren’t familiar with it, let this suffice: The Heartbleed Bug is a serious flaw in OpenSSL cryptographic software. By not verifying the size of the data being requested in a simple heartbeat command, a server can possible return sensitive information contained in memory inadvertently. You can read more about the details of Heartbleed at heartbleed.com.
Much of the discussion around Heartbleed has been centered around desktop browsing security. Recent reports however are reminding users and providers to not forget about the mobile app vector. Keep in mind that mobile activity, whether on a mobile browser or within an app, is connected to the same servers and web services that were affected by the Heartbleed Bug. This means that mobile security is just as compromised and mobile expands the scope of the threat.
TrendLabs, a division of TrendMicro, did a recent audit of mobile apps and found the following:
Of 390,000 apps audited from Google Play, 7,000 connected to vulnerable servers
15 of those were bank-related apps
39 were online-payment related
10 were online-shopping related
Several popular apps that are accessed daily by many users (instant messaging apps, healthcare apps, mobile payment apps) are vulnerable
So What? What Do I Do Now?
If you’re a user, we would definitely recommend going and updating your passwords. This is a good practice to do frequently anyway as a good personal security measure. Realistically however, the vulnerabilities exposed in the Heartbleed Bug won’t be remedied until affected servers and websites update to the patched version of SSL. Make sure to confirm with the site you are updating your password on that they either were not affected by the bug or have updated their OpenSSL packages. It doesn’t do you any good to change your password on a system that could still be compromised.
Some experts are encouraging users to limit the amount of activity they take on mobile apps until they are sure that the apps either:
Aren’t connected to a vulnerable server OR
The service provider has updated to the latest version of the patched SSL
For those who are interested in learning more, here are some good resources:
Heartbleed.com – contains a very thorough explanation of the Heartbleed Bug along with a detailed FAQ.
This is a simple video explanation of how the Heartbleed Bug works put out by Elastica
Run a real-time test to see if a site is vulnerable
A list of the top 630 (of a list of 10,000) sites that were tested and found vulnerable to Heartbleed