Over the past few weeks, we’ve heard a lot about the wide-spread effects of Heartbleed. One question that we’ve heard a lot has been: “How does Heartbleed affect mobile security?” The Heartbleed vulnerability has affected mobile security in several ways, as outlined below.
The HeartBleed vulnerability has been said to affect millions of servers across the internet, including many which provide web services for mobile applications. We all understand SSL as “that green lock icon in the corner of your browser that means everything secure and encrypted”. Think of mobile applications like specialized web browsers, which connect to special web servers or “web services” all the time to request or store your data for the application. Just like you browse to a website in your web browser, or enter your data into a web form, most mobile applications operate by making similar requests to web services. These web services often use OpenSSL to provide secure communication and many used versions affected by Heartbleed. This means that any data the mobile application sent over a secure connection to a vulnerable web service may potentially be at risk. This includes, but is not limited to, passwords, credit card numbers, financial information, personal information, etc. Moreover, a significant amount of the web browsing is done on a mobile device. Regardless of the mobile web browser used, mobile users are equally at risk when they connect (or have connected) to vulnerable web servers from their mobile device. This seems obvious but is worth emphasizing, that whether you connect to a vulnerable service via mobile device or PC, your data is equally at risk of compromise.
Additionally, some mobile apps are packaged with vulnerable versions of OpenSSL, which could potentially allow an attacker to access secure information from the mobile device itself. Google has also announced that a particular version of Android Jellybean (4.1.1) is itself vulnerable to the Heartbleed attack, which again would potentially allow an attacker to access secure information from the device itself. In both of these circumstances user with vulnerable apps installed or a vulnerable device could be attacked if they connect to malicious web server. Although this attack vector is less likely to occur, it could allow an attacker to view secure information in the devices memory, which makes the potential risk significant.
We recommend mobile users take steps to safeguard your data from the affects of HeartBleed:
- Due to the widespread nature of Heartbleed, we recommend that users change their passwords for all accounts. Although it’s against best practice, many users still reuse their passwords across many different sites, amplifying the affects of such a widespread vulnerably. For this reason as well as the widespread nature of the vulnerability, we feel that the best course of action is for users to change their password across all sites and services, not just those that were affected. While most services have updated their affected systems, users should verify that the service is secure before changing their passwords otherwise their new password may be equally vulnerable.
- As always users should be vigilant about what sites they visit, to avoid falling victim to malicious websites and services. Attackers are capitalizing on this turmoil and using it to lure people to their scams and exploits by promising Heartbleed fixes, security checks, etc. Although this advice should be heeded at all times, users should be increasingly suspicious of unsolicited emails or text messages, and seek out reputable sources to check for Heartbleed fixes or security checks.
- If users are running version 4.1.1 of Android Jellybean, they should check for updates from your carrier or device manufacturer. Unfortunately, if there is no fix available users will need to wait for their providers to provide one.