Tuesday, 15. April 2014

Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed

In an earlier blog post, we mentioned that mobile apps are also affected by the Heartbleed vulnerability. This is because mobile apps may connect to servers affected by the bug. However, it appears that mobile apps themselves could be vulnerable because of a bundled OpenSSL library.

OpenSSL Library Present in Android 4.1.1 and Certain Mobile Apps

We have information that although the buggy OpenSSL is integrated with the Android system, only the Android 4.1.1 version is affected by Heartbleed vulnerability. For devices with that version, any app installed with OpenSSL which is then used to establish SSL/TLS connections is possibly affected and can be compromised to get user information from the device memory.

However, even if your device is not using the affected version, there is still the matter of the apps themselves. We have found 273 in Google Play which are bundled with the standalone affected OpenSSL library, which means those apps can be compromised in any device.

In this list, we see last year’s most popular games, some VPN clients, a security app, a popular video player, an instant message app, a VOIP phone app and many others. As you may well know, the OpenSSL library is used by apps for secure communications. Lots of apps are from top developers. We also found the vulnerability in the older versions of Google’s apps.

140415comment02

Figure 1. Apps vulnerable to Heartbleed include those that are highly popular

These apps statically link to the vulnerable OpenSSL library as shown below:

140415comment03

140415comment04

Figure 2. Vulnerable OpenSSL Library

A reverse client-side Heartbleed attack is possible if the remote servers those apps connect to are compromised. A reverse Heartbleed can of course also expose user device memory to a cybercriminal. The memory may contain any sensitive information stored in these apps locally. If you use a vulnerable VPN client or VOIP app to connect to an evil service, you may lose your private key or other credential information, then the hacker may forge your identity and do other bad things from there.

We advise the app developer to hasten the speed to upgrade the OpenSSL library, and publish them to end-users. For general users, you need to be aware of the fact that your clients are able to leak information, no matter how secure the remote server is, or the good reputation or trustworthiness of the app developer. You should also update your apps as soon as a fix is made available. Google is currently distributing patching information for the affected Android version—you should also check if an update is made available for your device.

We will also be creating a tool very soon to check if your apps are vulnerable.

An Update on Apps Connecting to Servers Vulnerable to Heartbleed

After we disclosed about the mobile apps connecting to vulnerable servers, we continued to monitor them. We have seen up to 7,000 apps at the time of monitoring that are connecting to Heartbleed-vulnerable servers, while in our latest verification, around 6,000 apps are still affected. Let’s see what types of mobile apps they are:

Hearbleed Chart

Figure 3. Distribution of Mobile Apps Vulnerable to Heartbleed, by Category

For discussion purposes, we highlight only the app categories that we consider possibly sensitive in that they may store users’ private information on the server, which means users may be leaking information by using these apps. We see that a large portion of these kinds of apps are Lifestyle apps. These apps include anything from ordering food, grocery items, equipment, reading books, couponing, clothing, furniture, etc. This also means that if a user for instance orders food or supplies through one of these affected apps, information about their order, including user credentials, their home address—or worse, their credit card information—can be leaked.

Note that we have informed Google about this issue.

For other conversations on the Heartbleed bug, check our entries from the past week:


•  Heartbleed Bug—Mobile Apps are Affected Too
•  Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M
•  Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability


Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Bundled OpenSSL Library Also Makes Apps and Android 4.1.1 Vulnerable to Heartbleed