Heartbleed flaw affects mobile apps, too
Many banking, mobile payment apps connect to servers vulnerable to OpenSSL flaw, says Trend Micro
Computerworld - Android and IOS mobile applications are just as vulnerable to the Heartbleed bug as websites are, security vendor Trend Micro warned in a blog post on Thursday.
Because of the threat, consumers should avoid making in-app purchases via their mobile devices until permanent fixes are available for Heartbleed, the company said.
According to Trend Micro, a scan of about 390,000 applications on Google Play uncovered about 1,300 apps that connect to servers vulnerable to Heartbleed.
Among those at risk are more than a dozen banking apps, about 40 payment apps and 10 online shopping apps.
The company said it also found several popular apps to be vulnerable. because they connect to servers likely compromised. "Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions."
A significant number of those servers are affected by the vulnerability, Trend Micro noted.
"We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps -- and most concerning, even mobile payment apps," Trend Micro said. "These apps use sensitive personal and financial information -- data mines just ripe for the cybercriminal's picking."
JD Sherry, vice president of technology and solutions at Trend Micro, said the company did not perform a similar scan of applications available via Apple Store. But there is no doubt many of them are also at risk, he said.
Many view the Heartbleed vulnerability as one of the most serious Internet threats in a long time. The vulnerability stems from a basic programming error in OpenSSL versions 1.0.1 through 1.0.1f that is used to encrypt data by various browsers, operating systems and mobile applications. The flaw lets attacks grab confidential data like passwords and session keys from systems using the vulnerable software.
According to Trend Micro, mobile applications that support in-app purchases can connect to servers that use affected versions of the OpenSSL software. "As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It's as simple and easy as that."
Even applications that do not support in-app purchases are at risk if the application connects to an online server that is vulnerable. "For example, your app could ask you to 'like' them on a social network, or 'follow' them on yet another for free rewards'' and eventually lead users to a vulnerable server.
"Heartbleed further complicates the BYOD conversation that many organizations are struggling with," Sherry said. "This raises more questions and further exacerbates the challenge."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Why Open Source Software Isn't as Secure as You Think
- Heartbleed still matters, and we're all partly to blame
- The Next Heartbleed: 5 Security Vulnerabilities to Watch
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Rush to fight Heartbleed leads to errors with certificates and patches
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Kenneth van Wyk: Looking beyond Heartbleed
- Tip of the Hat: Heartbleed prompts chastened tech giants to fund OpenSSL
- Most but not all sites have fixed Heartbleed flaw
- 3 privacy violations you shouldn't worry about
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Improving IT Efficiencies: Four Advantages of Multi-Tenant Data Centers Increasing demands on IT are forcing organizations to rethink their data center options. For many organizations, that means turning to the flexibility afforded...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts