Mobile security

Mobile Apps Susceptible to Heartbleed, Too

It's not just Internet infrastructure that's susceptible to Heartbleed, one of the most pervasive OpenSSL security threats in some time. Mobile apps may also be at risk, and several firms are offering warnings and patches to safeguard consumer phones.

The Heartbleed bug is a software flaw discovered last week in the OpenSSL "Heartbeats" function that helps keep secure Internet connections alive. The bug could potentially let cyber criminals steal endless amounts of personal data.

While concern was initially for vulnerable websites, researchers are now warning that both Google (Nasdaq: GOOG) and Apple Inc. (Nasdaq: AAPL)'s mobile operating systems could be at risk as well. As such, BlackBerry said on Monday that it would release security updates for its messaging software on Android and iOS devices by the end of the week.

BlackBerry devices themselves don't use the at-risk software, but the company tells Reuters it needs to update its Secure Work Space corporate email and BBM messaging program that are in use on Android and iOS. The risk level may be relatively low, but the company says it could infect those who use the apps either on WiFi or over the cellular network.

Technically, any app that uses the OpenSSL code is susceptible to the Heartbleed bug. Mobile security provider Lookout has put out a Heartbleed Detector app that, when downloaded by a mobile phone user, can determine what version of OpenSSL the device is using and check to see if the vulnerable feature in Hearbeats is enabled. It can't do anything about it -- that's up to Google or the device maker -- but it does alert consumers to the potential for harm.

Since the bug was unearthed, there haven't been reports of widespread damage, but it could only be a matter of time. In the meantime, companies from operators to network equipment makers to software providers are working hard to develop patches and upgrades so consumers aren't affected. (See Cisco, Juniper Treating Gear Against Potential Heartbleed and Eurobites: Telenor Counters Heartbleed Threat.)

Lookout suggests that consumers should also change their passwords, but not until told to by their individual service providers, as the vulnerability pulls data from the active memory of the affected systems, so any attackers might still have access to a new password as well.

— Sarah Reedy, Senior Editor, Light Reading

Page 1 / 2   >   >>
Sarah Thomas 4/14/2014 | 2:12:12 PM
More malware It may only be a small percent of apps that get affected by malware, but there's a whole lot of it out there. Just got another warning email from FireEye, noting their "mobile security research team has discovered a new vulnerability, in which malicious apps with normal protection levels can probe and hijack icons on the Android home screen, modifying the app to direct users to phishing websites, ultimately subjecting them to even stronger cyber attacks. Read more on FireEye's blog here."
Mitch Wagner 4/14/2014 | 5:16:02 PM
Re: More malware The three guys still using BlackBerries will be relieved they're covered. 
DanJonesLRMobile 4/14/2014 | 5:46:23 PM
Re: More malware Lot of the US govt. is still on BlackBerries, although I suspect they may have disabled BBM anyway.
kq4ym 4/14/2014 | 7:05:58 PM
Re: More malware It will be a while before the news is in of how many affected folks were harmed. I suspect it's pretty small number and maybe so negligible not to even count. But, the scare is there and now a mobile app alert joins the bad news. We'll just wait and see what eventual harm may arise.
Sarah Thomas 4/15/2014 | 12:59:07 PM
Re: More malware Yeah, it seems like most of the patches will be out in time, but we really don't know. I haven't gotten any notifications from service providers about actions to take. I was going to just change all my passwords, but sounds like that's not the wisest move, according to Lookout.
MalcolmTucker 4/15/2014 | 2:39:12 PM
Re: More malware I was performing some research into this.  Apparently, the APPLE "Airport Utility" which comes as standard software with all Mac Computers, uses the OpenSSL library. 

This is in the acknowledgements and licensing agreement feature within the Airport Utility itself.

Because the code hasn't been verified to be vulnerable, it may be best to take the Airport Utility (Located in the "Utilities" folder) and place it into the trashcan.  Apple's culture is one of secrecy and to not disclose issues until a patch is released.

Because Apple and everybody was blindsighted, it's probably best to place the Airport Utility into the trash.

Airport controls WiFi connections to Apple's own WiFi routers.  You should be able to connect to the internet, and configure your router if you use the Apple iPhone or iPad configuration app; then delete the app on your ipad until you need it again.
Phil_Britt 4/15/2014 | 2:48:01 PM
Re: More malware To me the FireEye notification seems to be somewhat self-serving. McAfee also sent out notices, but also said that their software is not designed to protect against this type of vulnerability. It's good to get notices out, but I'm cautious any time the notice comes from someone seeking to sell a solution.
Mitch Wagner 4/15/2014 | 4:50:07 PM
Re: More malware Attackers used Heartbleed to break into the Canada Revenue Agency.
Sarah Thomas 4/15/2014 | 6:26:10 PM
Re: More malware Yikes, I guess it's starting then.
Sarah Thomas 4/15/2014 | 6:27:15 PM
Re: More malware Thanks for the heads up, Malcom. I hope Apple issues that patch soon too.
Page 1 / 2   >   >>
Sign In