Android App Developers Need to Check Their Apps for Heartbleed Vulnerability

A report from FireEye, a company that provides a virtual machine-based software security platform protecting companies against cyber attacks, has found that 150 million downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.

Heartbleed allows attackers to steal sensitive information from vulnerable websites by sending crafted SSL heartbeat messages. Due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information. 

The FireEye report shows that there are currently at least 17 antivirus apps on Google Play branded as “Heartbleed detectors.” Six of these scan the OpenSSL library belonging to the Android platform for vulnerabilities. This method isn’t sufficient for detecting the Heartbleed vulnerability on Android due to the fact that, except in limited Android versions (mainly 4.1.0-4.1.1), the majority of Android platforms are not vulnerable, as most versions use OpenSSL libraries that are not vulnerable or simply have the OpenSSL heartbeat functionality disabled.

However, in the case of Android apps that use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents.

FireEye studied specific apps with vulnerable OpenSSL libraries and confirmed this attack. Most of the vulnerable apps are games, and some are office-based applications. Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations. Office apps vulnerable to Heartbleed are much more dangerous due to further potential data leakage.

During their investigation of the office apps that contains a vulnerable version of OpenSSL, the authors of the report were surprised that they were not vulnerable to the Heartbleed attack. How could it be? A deeper look by FireEye shows that these apps either make a mistake in the native code linkage, or just contain dead code. Therefore, when they try to invoke SSL functions, they directly use the non-vulnerable OpenSSL library contained within the Android OS, instead of using the vulnerable library provided by the app. The authors say the linkage mistake is common for Android applications built with native code. As such, the side-effect of this mistake helps reduce the apps’ overall risk profile.

The report also shows that within the 17 Heartbleed detector apps on Google Play, only six detectors check installed apps on the device for Heartbleed vulnerability. Within the six, two of them report all apps installed as “Safe,” including those the authors confirmed as vulnerable. One detector doesn’t show any app scan results and another one doesn’t scan the OpenSSL version correctly. 

Only two of the detectors did a decent check on the Heartbleed vulnerability of apps. Although these two detector apps conservatively labeled some non-vulnerable apps as vulnerable, the authors agree it is a viable report which highlights both the vulnerabilities and the linkage mistakes. The authors also have seen several fake Heartbleed detectors in the 17 apps, which don’t perform real detections nor display detection results to users and only serve as adware.

On April 10, FireEye scanned more than 54 thousand Google Play apps (each with over 100K downloads) and found that there were at least 220 million downloads affected by the Heartbleed vulnerability. The company has notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products. 

The authors did find that most app developers and library vendors take Heartbleed seriously, as FireEye has started to see apps updated with proper fixes. The total number of vulnerable apps download has since decreased to 150 million on April 17th.