Heartbleed flaw affects mobile apps, too

Many banking, mobile payment apps connect to servers vulnerable to OpenSSL flaw, says Trend Micro

Android and IOS mobile applications are just as vulnerable to the Heartbleed bug as websites are, security vendor Trend Micro warned in a blog post on Thursday.

Because of the threat, consumers should avoid making in-app purchases via their mobile devices until permanent fixes are available for Heartbleed, the company said.

According to Trend Micro, a scan of about 390,000 applications on Google Play uncovered about 1,300 apps that connect to servers vulnerable to Heartbleed.

Among those at risk are more than a dozen banking apps, about 40 payment apps and 10 online shopping apps.

The company said it also found several popular apps to be vulnerable. because they connect to servers likely compromised. "Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions."

A significant number of those servers are affected by the vulnerability, Trend Micro noted.

"We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps -- and most concerning, even mobile payment apps," Trend Micro said. "These apps use sensitive personal and financial information -- data mines just ripe for the cybercriminal's picking."

JD Sherry, vice president of technology and solutions at Trend Micro, said the company did not perform a similar scan of applications available via Apple Store. But there is no doubt many of them are also at risk, he said.

Many view the Heartbleed vulnerability as one of the most serious Internet threats in a long time. The vulnerability stems from a basic programming error in OpenSSL versions 1.0.1 through 1.0.1f that is used to encrypt data by various browsers, operating systems and mobile applications. The flaw lets attacks grab confidential data like passwords and session keys from systems using the vulnerable software.

According to Trend Micro, mobile applications that support in-app purchases can connect to servers that use affected versions of the OpenSSL software. "As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It's as simple and easy as that."

Even applications that do not support in-app purchases are at risk if the application connects to an online server that is vulnerable. "For example, your app could ask you to 'like' them on a social network, or 'follow' them on yet another for free rewards'' and eventually lead users to a vulnerable server.

"Heartbleed further complicates the BYOD conversation that many organizations are struggling with," Sherry said. "This raises more questions and further exacerbates the challenge."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies