With the Heartbleed bug haunting most people about their online security for a few days now, security firm Trend Micro has warned that the bug affects smartphones too.
On the Trend Labs blog, security researchers had posted that mobile apps are also vulnerable to the Heartbleed flaw. The main reason and possibility of the bug affecting the smartphone is that the mobile apps are also connecting to online servers and services to complete various functions.
Trend Micro stated that, “Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions. As our previous blog entry has shown, a sizable number of domains are affected by this vulnerability.”
“Suppose you’re just about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you. While you’re getting on with your game, your credit card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It’s as simple and easy as that,” they added.
“What about apps that don’t offer in-app purchases? Are they safe from this vulnerability? Not really—as long as it connects to an online server, it’s still vulnerable, even if your credit card isn’t involved. For example, your app could ask you to ‘like’ them on a social network, or ‘follow’ them on yet another for free rewards. Suppose you decide to do so, and tap ‘OK’. Chances are your app will open the website on their own, through their own in-app browser, and have you log into the social network there. While we’re not saying the social networks you go are vulnerable to the Heartbleed bug, the possibility is there, and thus the risk is there as well.”
Trend micro stated that they have scanned almost 390,000 apps from Google play only to find that around 1,300 apps are connecting to vulnerable servers. 15 were bank-related apps, 39 were online payment-related and 10 were shopping apps among the list. The rest consisted of apps for social networking, keyboards, IM, health care, and alike, which use some server online for data sync.
Trend also stated that just changing the passwords would not help completely since the website operator also has to fix the flaw on the server side. Hence, it is better to stay away from these apps for a while till the websites announce that they have fixed the flaw completely. Post fixing it, you could change the passwords again and use them.
