Skip to main content

Understand Heartbleed flaw on Mobile devices

Release Date: 11 Jun 2014 2846 Views

banner

 

Recently, security researcher discovered vulnerability in OpenSSL, called Heartbleed. This vulnerability shocks the entire Internet, including large scale websites, web hosting providers, and Internet users.

 

What is Heartbleed

 

In simply terms, Heartbleed is a vulnerability found in Heartbeats feature inside OpenSSL version 1.0.1 to 1.0.1f. When an attacker connects to a vulnerable system, he can steal the information in the server, including account information, server's private key, etc. The theft action is not traceable in the server.

 

For more information, please refer to: "Impacts and Response to Heartbleed Vulnerability" </my_url/blog/14041501>

 

Heartbleed flaw in Mobile devices

 

About the Heartbleed flaw, the most concern is the Web Server. However, the Heartbleed does not only exist in computer, but also exist in mobile device. Some of Android versions are using vulnerable OpenSSL, which may cause data leakage threat. The Heartbleed flaw also appears in mobile devices. The two following situations may cause security risks.

 

Situation 1: Mobile device connecting to Heartbleed server

 

If an online service running on a Heartbleed server, attacker can steal the information in the server, including a private key which is used to provide security channel. When a user connects to the vulnerable server through either an App or a browser, the connection between two ends is not secure any more.

 

Solution:

  1. In this situation, user has to know whether the server providing online service is patched or not. To examine the patch status of servers, please refer to "Impacts and Response to Heartbleed Vulnerability" </my_url/blog/14041501>
  2. To ensure your information is safe, after the Heartbleed flaw is patched on the server, we recommend you to change your account password for related online services.

 

Fig 1) The communication channel is not secure, because the Private Key of Heartbleed server may be stolen.

Fig 1) The communication channel is not secure, because the Private Key of Heartbleed server may be stolen.

 

Situation 2: Mobile device containing vulnerable OpenSSL library

 

If a vulnerable OpenSSL library is used in a mobile system or an App, when user connect to a malicious server via either the system browser or the App, the malicious server owner (attacker) can conduct a Heartbleed reverse attack to steal information from the vulnerable mobile device.

 

* This situation does not affect Apple iOS and Windows Phone devices, because they do not use OpenSSL.

 

Fig 2) The attacker can conduct a reverse attack to steal information from the mobile device, when a Heartbleed mobile device connects to a malicious website created by the attacker.

Fig 2) The attacker can conduct a reverse attack to steal information from the mobile device, when a Heartbleed mobile device connects to a malicious website created by the attacker.

 

Detection of Heartbleed flaw on mobile devices

 

In the situation 2, Android system is a popular mobile system using OpenSSL. However, it does not represent all versions of Android are using vulnerable OpenSSL. Even the Android is using a vulnerable version of OpenSSL, it is still safe if the heartbeat function is disable.

 

However, different mobile device manufacturers provide their customized Android systems. In addition, there is no standard on using which version of OpenSSL library. Therefore, we cannot only check the Android version to determine it is vulnerable or not. To verify whether your Android device is vulnerable, you need a Detector App. 

 

Some Heartbleed detector Apps not only detect your Android device is vulnerable due to Heartbleed, but also scan installed Apps using its own vulnerable OpenSSL library. These ensure both your Android system and installed Apps without Heartbleed flaw. Please refer to remark "List of Heartbleed detector Apps".

 

Solution:

  1. Scan your Android system and installed Apps for Heartbleed flaw.
  2. If your Android contains Heartbleed flaw, please contact your Android device's manufacturer and check your device has update patch.
  3. If an installed App contains Heartbleed flaw, please stop using the App, and try to contact the App developer to update a fixed version of OpenSSL library.
  4. To ensure your information is safe, after all Heartbleed flaws are patched in your Android system and in installed Apps, we recommend you to change your account password of your device and all related online services.

 

Remark:

 

List of Heartbleed detector Apps