Millions of Android apps still affected by Heartbleed

heartbleed 1200x700
Credit: Thinkstock/Heartbleed.com

I know it’s a busy time of year with the NBA and NHL playoffs underway, and the beginning of baseball season. There’s also some stuff going on in the Ukraine, and Google is now letting anyone with $1500 waste…I mean spend it on Google Glass. Aside from all of that, though, you may have heard of a serious security vulnerability in OpenSSL called Heartbleed. Although it’s been a few weeks since Heartbleed was revealed, reports suggest that as many as 150 million Android apps—including nearly 10 percent of the apps in the official Google Play store—remain vulnerable.

The initial response to the Heartbleed revelation was aimed at the websites and online services that rely on OpenSSL for encryption. Most of the major players quickly applied the patch, and acquired new certificates so they could continue or resume normal operation. The insidious thing about Heartbleed, however, is that the open source OpenSSL is used by a lot more than just websites—like connected “Internet of Things” devices, and mobile apps. Getting the millions of separate devices and apps updates is a much more daunting task than just patching Web servers.

“It's not a surprise to hear millions of users are affected by the Heartbleed vulnerability on Android. Now, the challenge is to get apps updated,” agreed Armando Orozco, senior malware intelligence analyst at MalwareBytes. “But with millions of users vulnerable, how do you get the message out to those users and app developers?”

The media hasn’t been shy about reporting on the dangers of Heartbleed, but most Android users probably don’t realize that the risk extends to the apps they use on their smartphone or tablet. Orozco stresses that there is actually increased risk when it comes to things like Android apps because the bad guys know where to look for the Heartbleed flaw, and they’re aware that most consumers are ignorant—or at least naïve—when it comes to security.

Of course, fixing the problem is much harder than just recognizing it. Orozco explains, “Updating apps in some cases can be easy with a quick developer fix but others might not be so easy. For example, they could no longer be maintained or preinstalled as part of an OEM ROM—OEM updates can take months to get to a consumer, if they happen at all. The other issue is embedded URLs that are out of the app developers’ hands to update.”

Android users should remember security best practices such as not logging into secure sites over public Wifi networks, and watching out for email and SMS messaging phishing scams. Most importantly, only download and install apps from trusted sources, and even then pay attention and think twice before approving permissions for those apps to access the functions of your Android device or your personal data without cause.

Sadly, though, none of those things will necessarily protect you from a situation like this. If there is a “silver lining” to the whole Heartbleed debacle, it’s that security is now on everyone’s radar—where it should have been in the first place.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.