Heartbleed Security Scanner for Android helps detect whether your Android device is affected by the Heartbleed bug in OpenSSL and whether the vulnerable behavior is enabled.
Heartbleed Security Scanner works by determining what version of OpenSSL your device is using. If your device is using one of the affected versions of OpenSSL, we then check to see if the specific vulnerable feature called heartbeats is enabled.
■ What is Heartbleed?
Heartbleed is a software flaw in the OpenSSL “Heartbeat” function that helps keep secure connections alive. This function was found to be vulnerable to manipulation in a way that allows an attacker to steal up to 64K of data at a time from the active memory of affected systems. The bug, found by researchers from Codenomicon and Google, and filed with the following reference number – CVE-2014-0160, impacts any infrastructure that includes the affected versions of OpenSSL.
■ Will Heartbleed Security Scanner fix the Heartbleed vulnerability?
Heartbleed Security Scanner is not meant to fix this vulnerability, as the vulnerability will need to be patched by Google or your device manufacturer. Heartbleed Security Scanner is only meant to keep you informed about the status of your device. The good news is that Lookout has not yet seen the Heartbleed vulnerability exploited on a mobile device.
■ Will Heartbleed Security Scanner tell me if my apps are affected?
Heartbleed Security Scanner will not detect whether any of the services or accounts (the apps and websites you visit) on your device are vulnerable. Heartbleed Security Scanner is only meant to detect vulnerabilities in Android.
In other words, your operating system might be fine, but the websites you’re accessing might not. Look out for emails from companies with whom you have online accounts. If they needed to issue a patch, hopefully they will be alerting their consumers.