Heartbleed: What you need to know as an Android user

BY Abhijeet Mishra

Published 15 Apr 2014


If you’ve been surfing the web in the last week or so, you’ve probably come across the word Heartbleed. One of the most serious security flaws ever discovered, Heartbleed is a bug in OpenSSL, a commonly used security system that potentially two-thirds of websites use to keep information like your passwords secure. Heartbleed’s existence went unnoticed for almost two years, which is partly the reason why it was deemed to be such a dangerous exploit, affecting major websites like Yahoo and Wikipedia. Unfortunately, Google’s mobile operating system was affected as well.

How does Heartbleed work?

Whenever you visit a secure website, like Gmail, the data exchange between your device (let’s say, your computer) and the website’s servers takes place through a channel secured by encryption keys. Any data sent to and fro is encrypted using these keys, and no one except the two communicating parties can understand what was said, as only they have the necessary keys to decrypt the data.

To ensure that a device and the server are still connected, a device periodically sends and receives messages, a process which is termed Heartbeat. The Heartbleed bug allows hackers to send trick heartbeat messages, which can fool a site’s server into relaying data that’s stored in its RAM — including sensitive information such as usernames, passwords, credit card numbers, emails, and more. Basically, it exploits the encryption keys, allowing “attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

How is Android affected?

Well, just like a computer, your Android device connects to the internet and sends and receives data on websites and apps using OpenSSL for encryption. As a result, the Heartbleed bug can be used to steal passwords and other private information from a device. According to Google, only Android 4.1.1 is affected, but it isn’t that simple – for example, the BlackBerry Messenger app is also affected by Heartbleed, so your device is at risk because of both the OS version and the apps installed on it. Furthermore, there’s a possibility some versions of Android 4.2.2 are affected as well, thanks to the customization done by carriers and hardware manufacturers on their devices’ software, putting millions of Android users at risk.

How to check if your device has the Heartbleed bug?

Thankfully, there are a couple of apps on the Google Play Store that can detect whether a device is affected by the Heartbleed bug. One is Heartbleed Detector from Lookout, which will detect if the version of Android on your device is affected. Going a step further is Heartbleed Scanner – apart from checking the OS itself, this app will also scan all apps that are using OpenSSL and warn you accordingly if there’s a chance Heartbleed affects any of those apps.

How to protect your device from being exploited?

Unfortunately, except for changing their passwords and uninstalling/not using affected apps, end users can’t really do anything to prevent their device and services from being exploited using Heartbleed. Since Heartbleed is a bug in the OpenSSL software that’s installed on the server end, the only way to disable it is for companies and manufacturers to update their version of OpenSSL.

Google has said that a firmware update will soon be released to patch the exploit, but that won’t be of any use on devices not running a stock version of Android. Basically, manufacturers will have to step up and release the necessary patches for their customized versions of Android, something which might take a lot of time – it’s the same story for affected apps, but writing in an email to the app’s developer to plug Heartbleed should help along the proceedings.

However, until that happens, changing passwords to important websites (banking, social networks, etc.) you might have visited from your smartphone or tablet’s browser is the only solution. Other than that, only thing left to do is hope that a patch from your device manufacturer comes out soon to patch up and close the loop holes that can be used to exploit Heartbleed.

[via ArsTechnica, Heartbleed]