How to check if your Android phone is vulnerable to Heartbleed
Heartbleed is a critical bug in OpenSSL that allows for the stealing of information that would normally be protected by SSL/TLS encryption. Essentially anyone on the internet can read the memory of systems protected by vulnerable versions of the popular cryptographic software library. The bug affects two-thirds of the Internet and while Google has patched its services, Android remains affected.
If you have an Android phone you can quickly check to see what version of OpenSSL it’s running, and whether the vulnerable feature, called Heartbeats, is enabled.
All you need to do is download and run Lookout’s Heartbleed Detector. It will scan the mobile OS and list its findings. With luck you’ll see a green tick next to the comforting words "Everything is OK". In the worst case scenario you’ll see a red exclamation point next to the words "And the vulnerable behavior is enabled". If you do encounter this message, don’t panic, or ditch your mobile. While the threat is real, the likelihood of you encountering an exploit is minimal. Lookout says it has "not yet seen the Heartbleed vulnerability exploited on a mobile device".
While Heartbleed Detector will warn you if your phone is at risk, it can’t detect if any apps or websites you visit are vulnerable. Neither can it patch the problem -- only Google can do that.
There’s not a lot you can do to protect yourself from the bug but it is worth making sure you’re running the latest version of Android. Go into your device’s settings, and check for any system updates there.
As well as informing you whether your version of Android is vulnerable, the app also provides additional information on the Heartbleed bug.