Following this week’s discovery of the serious Heartbleed bug in OpenSSL, mobile security company Lookout released an Android tool that will help users detect the presence of the security vulnerability on their Android devices.
The Heartbleed bug allows malicious intruders to exploit a vulnerability in the OpenSSL library, thereby exposing confidential and encrypted data that were normally protected by SSL/TLS encryption.
Lookout’s detector app can be downloaded for free from the Google Play Store and does nothing else but identify the OpenSSL version being used on the Android device, check for the existence of Heartbleed, and, if it is present, determine whether Heartbleed is enabled.
The app, however, won’t tell the user if sites visited or other apps used are affected. The app doesn’t provide a fix either.
If the device is in the clear, the app will display “Everything is OK”. In the worst case, the user will see a red warning sign along with the confirmation “And the vulnerable behavior is enabled,” indicating that Heartbleed is present and is active or enabled.
Most others will likely get a yellow warning, indicating the presence of Heartbleed but assuring that, although it’s there, it’s not enabled.
Although the security flaw is primarily a server-side vulnerability, Android users worry about it because Android uses a version of OpenSSL. Devices running Android 4.1.1 Jelly Bean are vulnerable, but Google is working on a patch for that specific version.
Google assured Android users, though, that “all versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).”
On the bright side, Lookout reports that it has not yet found cases of mobile devices exploited using the Heartbleed vulnerability. However, this is not good reason for anyone to be completely complacent.
Vigilance and looking out
One positive step that an average user may take is to check for software updates from the Android device’s manufacturer and to install them immediately, especially updates that patch the security hole. Another is to be vigilant and be on the lookout for notices and alerts from sites that the user has online accounts with. Affected sites may implement measures to remove the vulnerability and inform their users accordingly. Apart from these, there’s very little else that a user can do.
Have you scanned your Android device for Heartbleed today? What result did you get? Does it scare you? Share your thoughts in the comments section.