Android apps make way for Heartbleed exploits
Lots of things have been said about OpenSSL bug Heartbleed, including what to do to counter possible exploits (many have advised users to change all their passwords) after it has reached the public's attention. The main focus has been on popular products from top companies such as Apple, Google and Microsoft. However, the actions of other developers (that may actually be inconspicuous in the whole Heartbleed debacle) can have a far-reaching effect as well.
A new report from FireEye notes that 150 million downloads of Android apps "contain OpenSSL libraries vulnerable to Heartbleed". As Google has said, Android itself may not be vulnerable to it, post version 4.2 Jelly Bean at least, but that advantage is lost if app developers expose users to the dangers of Heartbleed.
"Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries", says FireEye. "Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents".
In this case, FireEye suggests, the "Heartbleed detectors" might not be able to accurately detect whether the vulnerability can be exploited on users' Android devices, due to the targeted scope of the search in the case of most such tools.
According to the report, only six of the 17 detectors available on Google Play also verify apps for Heartbleed, while two of the six allegedly fail to properly vet them, mistakenly showing that they are safe to use. Some are actually fake, per FireEye, and only two are considered to deliver results close to being accurate (some false-positives may be shown).
"We studied apps with vulnerable OpenSSL libraries and confirmed this attack. Most of the vulnerable apps are games, and some are office-based applications", says FireEye. Considering game developers entice users to link their social network accounts, with various perks and bonuses after doing it, this may be a bigger issue than it seems at first glance.
"Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations. Office apps vulnerable to Heartbleed are much more dangerous due to further potential data leakage", adds FireEye.
That being said, office apps have actually been found not vulnerable to attacks because, per FireEye's report, they either contain "dead code" or are improperly designed as they "make a mistake in the native code linkage". This leads to apps using Android's implementation, which is for the most part secure, and, therefore, the potential of Heartbleed exploits is much lower.
The number of vulnerable downloads is actually lower than two weeks ago, when Heartbleed-toting Android app downloads reached "at least" 220 million. Informed developers have started patching their offerings in Google Play, but what happens in other Android app stores?