Heartbleed flaw affects mobile apps, too
Many banking, mobile payment apps connect to servers vulnerable to OpenSSL flaw, says Trend Micro
Computerworld - Android and IOS mobile applications are just as vulnerable to the Heartbleed bug as websites are, security vendor Trend Micro warned in a blog post on Thursday.
Because of the threat, consumers should avoid making in-app purchases via their mobile devices until permanent fixes are available for Heartbleed, the company said.
According to Trend Micro, a scan of about 390,000 applications on Google Play uncovered about 1,300 apps that connect to servers vulnerable to Heartbleed.
Among those at risk are more than a dozen banking apps, about 40 payment apps and 10 online shopping apps.
The company said it also found several popular apps to be vulnerable. because they connect to servers likely compromised. "Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions."
A significant number of those servers are affected by the vulnerability, Trend Micro noted.
"We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps -- and most concerning, even mobile payment apps," Trend Micro said. "These apps use sensitive personal and financial information -- data mines just ripe for the cybercriminal's picking."
JD Sherry, vice president of technology and solutions at Trend Micro, said the company did not perform a similar scan of applications available via Apple Store. But there is no doubt many of them are also at risk, he said.
Many view the Heartbleed vulnerability as one of the most serious Internet threats in a long time. The vulnerability stems from a basic programming error in OpenSSL versions 1.0.1 through 1.0.1f that is used to encrypt data by various browsers, operating systems and mobile applications. The flaw lets attacks grab confidential data like passwords and session keys from systems using the vulnerable software.
According to Trend Micro, mobile applications that support in-app purchases can connect to servers that use affected versions of the OpenSSL software. "As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It's as simple and easy as that."
Even applications that do not support in-app purchases are at risk if the application connects to an online server that is vulnerable. "For example, your app could ask you to 'like' them on a social network, or 'follow' them on yet another for free rewards'' and eventually lead users to a vulnerable server.
"Heartbleed further complicates the BYOD conversation that many organizations are struggling with," Sherry said. "This raises more questions and further exacerbates the challenge."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Why Open Source Software Isn't as Secure as You Think
- Heartbleed still matters, and we're all partly to blame
- The Next Heartbleed: 5 Security Vulnerabilities to Watch
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Rush to fight Heartbleed leads to errors with certificates and patches
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Kenneth van Wyk: Looking beyond Heartbleed
- Tip of the Hat: Heartbleed prompts chastened tech giants to fund OpenSSL
- Most but not all sites have fixed Heartbleed flaw
- 3 privacy violations you shouldn't worry about
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!