By now, you have probably heard about the Heartbleed bug, estimated to affect up to two-thirds of all websites using the OpenSSL encryption protocol to protect usernames, passwords, credit and debit card numbers, and other sensitive information. Whether hackers have previously been taking advantage of this bug is still unknown, but now is the time to take precautions to avoid a security breach.
This now infamous bug might reach beyond your favorite websites—it could also affect your Android mobile devices. Attention around Heartbleed has focused on the most obvious scenario: a malicious client attacking a server to steal sensitive data online. However, the reverse is also possible, where a malicious server could exploit this weakness to siphon data from a mobile device’s browser and apps. Below is some additional information you can use to protect your device, data and identity in the wake of this incident.
What is Heartbleed?
It is important to understand that Heartbleed is not a virus, but rather a mistake written into an older version of OpenSSL—which is a security standard encrypting communications between you, the user, and the back-end servers provided by a majority of online services. The mistake makes it possible for hackers to extract data from databases containing user names, passwords and other sensitive information.
How are mobile users affected?
At this time, mobile devices running Android 4.1.1 (Jelly Bean) use the OpenSSL version with the Heartbleed bug. A Google spokesperson confirmed to Bloomberg that millions of devices in use today still run 4.1.1 Jelly Bean.
Is this issue limited to just Android 4.1.1?
Not exactly, your apps may also be affected. App developers may have used the unsafe version OpenSSL, so even if the OS version on your device is not vulnerable, your installed apps may be impacted.
What do Android users need to do?
- Download the free McAfee Heartbleed Detector app to determine if your device is vulnerable and to check your apps’ risk level.
- Check Android Settings -> About Phone section to determine which version of Android is running on the device. If it is Android 4.1.1, check for a system update and update immediately.
- Even after updating the OS, users should still avoid sensitive transactions on mobile devices, such as banking, mobile payments, etc. While Google is currently working to fix the OpenSSL problem in Android 4.1.1, it is best to take extra steps to prevent your personal information from getting into the wrong hands in the meantime.
Our free McAfee Heartbleed Detector app can help users determine if a mobile device or any installed apps are affected by checking two data points:
- Determines which version of OpenSSL the Android device is using and then checks to see if the Heartbleed bug is present. If the device is running the vulnerable version of OpenSSL, the user will be notified so that they can be sure to upgrade to the latest version of Android OS available for the device.
- Checks the OpenSSL version of every app installed on the device to determine if it is Heartbleed vulnerable. If the app is affected, you will be notified and can then make the decision to uninstall or update the app to a newer, safer version, if one is available from the developer.
While this app will tell you if your devices or apps need to be updated, it should be noted that the Heartbleed bug can only be fixed with a software update from the device manufacturer or app vendor.