Heartbleed bug - mobile apps are affected too

Tech May 13, 2014 00:00

By William Tan

7,149 Viewed

The severity of the Heartbleed bug has led countless websites and servers scrambling to address the issue, and with good reason as a test conducted on Github showed that more than 600 of the top 10,000 sites (based on Alexa rankings) were vulnerable.

At the time of the scanning, some of the affected sites included Yahoo, Flickr, OKCupid, Rolling Stone and Ars Technica.
All the extended coverage of the flaw begs the question, “Are mobile devices affected by this?” The short answer: yes.
Mobile apps, like it or not, are just as vulnerable to the Heartbleed bug as websites are, because apps often connect to servers and Web services to complete various functions. As our previous blog entry has shown, a sizable number of domains are affected by this vulnerability.
Suppose you’re just about to pay for an in-app purchase, and to do so you need to input your credit-card details. You do so, and the mobile app finishes the transaction for you. While you’re getting on with your game, your credit-card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. 
As such, cyber-criminals can take advantage of the Heartbleed bug to target that server and milk it of information, like your credit-card number. It’s as easy as that.
What about apps that don’t offer in-app purchases? Are they safe from this vulnerability? Not really.
As long as it connects to an online server, it’s still vulnerable, even if your credit card isn’t involved. For example, your app could ask you to ‘like’ them on a social network, or ‘follow’ them on yet another for free rewards.
Suppose you decide to do so, and tap ‘OK’. Chances are your app will open the website on its own, through its own in-app browser, and have you log into the social network there. 
While we’re not saying the social networks you go to are vulnerable to the Heartbleed bug, the possibility is there, and thus the risk is there as well.
We looked deeper into the matter and inspected some Web services used by popular mobile apps, and the results show that the vulnerability still exists.
We scanned around 390,000 apps from Google Play, and found around 1,300 of them connected to vulnerable servers. Among them are 15 bank-related apps, 39 online payment-related, and 10 online shopping-related. 
We also found several popular apps that many users would use on a daily basis, like instant messaging apps, healthcare apps, keyboard-input apps – and most disconcertingly – even mobile payment apps. These apps use sensitive personal and 
financial information, which are data mines just ripe for the cyber-criminal’s picking.
What can be done against the Heartbleed bug, then? Not a whole lot, we’re afraid. We can tell you to change your password, but that’s not going to help if the app developers – and the Web service providers, as well – don’t fix the problem at their end. This means upgrading to the patched version of OpenSSL, or at least turning off the problematic Heartbeat extension.
Until then, what we can advise you to do is to lay off the in-app purchases or any financial transactions for a while (including banking activities), until your favourite app’s developer releases a patch that does away with the vulnerability. We’ll keep you updated in the meantime as to all that’s happening with the Heartbleed bug.
William Tan is regional country manager of TrendMicro Thailand and Indochina.