Heartbleed is causing heartache on hundreds of servers all over the internet, but security researchers have also warned that the bug could allow direct hacks of Android, too. Here’s how to check if your device is at risk.
While researchers at security firm Symantec happily report that the major browsers don’t rely on the OpenSSL cryptographic library to implement HTTPS—so are unaffected by Heartbleed—the same isn’t true of the Android OS. Ars Technica explains how your Google-powered device could be compromised:
[T]he most likely scenario for an attacker exploiting a vulnerable Android device is to lure the user to a booby-trapped website that contains a cross-site request forgery or similar exploit that loads banking sites or other sensitive online services in a separate tab. By injecting malicious traffic into one tab, the attacker could possibly extract sensitive memory contents corresponding to the sites loaded in other tabs, he said. A less sophisticated version of the attack—but also one that’s easier to execute—might simply inject the malicious commands into a vulnerable Android browser and opportunistically fish for any sensitive memory contents that may be returned.
With so many tweaked and forked version of Android out there, though, it’s tough to provide a conclusive list of exactly which devices are affected. But good news: Heartbleed Detector, a free app developed by Lookout Mobile, will tell you if your device is at risk.
So, go download the app and run it. It will tell you if your device contains the vulnerable version of OpenSSL that Heartbleed affects. It will also tell you if the Heartbeat extension that hosts the coding bug is enabled. If you don’t have the vulnerable version, or you do but but the extension isn’t enabled, you should be just fine. Otherwise, you better hold tight and act carefully until your OS is patched. [Heartbleed Detector via Ars Technica]