Android Apps Vulnerable to Heartbleed Bug, Security Researchers Find

by Istvan Fekete on April 24, 2014

About 150 million downloads of Android mobile applications may be vulnerable to the recently uncovered Heartbleed bug, new research has discovered. Also, for those using any of the 17 Android apps that scan for the bug, here is some noteworthy information: at least a third of them are using an inadequate method.

The findings come from three researchers, Yulong Zhnag, Hui Xue, and Tao Wei, of computer security firm FireEye. In a blog post entitled, “If an Android has a heart, does it bleed?” they analyze the current status of the Heartbleed bug and how it affects the Android world.

According to their findings, the Android platform is vulnerable to the bug – except Jelly Bean 4.1 and 4.1.1 – because most of them don’t use OpenSSL, or do so in such a way that the flawed features are disabled by default. It’s the individual apps that often use OpenSSL that are vulnerable to the bug.

The most exposed apps are games, the researchers say. It’s not about the games themselves, but the social media credentials linked to Facebook or Twitter accounts make them interesting to hackers. An attacker could simply hijack a game account to gain access to a more valuable social media account.

“We studied apps with vulnerable OpenSSL libraries and confirmed this attack. Most of the vulnerable apps are games, and some are office-based applications. Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations. Office apps vulnerable to Heartbleed are much more dangerous due to further potential data leakage.”

Also, if you used any of the 17 antivirus apps available on Google Play that claim to be “Heatbleed detectors”, you may want to reconsider your choice: six of them can scan the OpenSSL library belonging to the Android platform for vulnerabilities, but this isn’t sufficient to detect the Heartbleed vulnerability on Android.

Did you like this post? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Istvan Fekete. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

{ 1 trackback }

Project Zero: Google’s Secret Team of World-Class Hackers, Hunting Zero-Day Vulnerabilities — TheTelecomBlog.com
July 16, 2014 at 5:51 am

{ 0 comments… add one now }

Previous post:

Next post: