Should you be worried about Heartbleed on your mobile?

November 11, 2014 : TECHFacebooktwittergoogle_plusredditlinkedinmail

Should you be worried about Heartbleed on your mobile

Last week, the internet went into a mild state of meltdown when a bug in a widely-used security software was uncovered – and could have left millions of websites open to exploitation by hackers.

Known as 'Heartbleed', the error affects an extension in the open-source OpenSSL tool – which is designed to encrypt communications between a user's computer and a server – something that's essential if you want to do any sensitive activities such as online shopping. Without this encryption, you might as well be shouting your credit card number to the checkout assistant from the other side of the store.

No-one's still quite sure of just what the scale of the problem is, but the frantic moves by many companies to patch their systems and doom-laden warnings that everyone's passwords might be under threat aren't without merit. And it's not just people browsing on desktops that may be affected, as the bug could extend to people using mobile devices as well.

What is Heartbleed?

The bug got its moniker because of the way it compromises a specific extension to the SSL encryption standard that's dubbed Heartbeat by engineers – which should give you some idea of how critical it is to many web operations. 

Essentially, it allows anyone to read the memory of systems supposedly protected by OpenSSL, which could compromise the secret keys used to identify the service providers and to encrypt the traffic, the name and passwords of the users and the actual content.

What it means in real-terms is attackers could be able to intercept communications and use the information gained to steal data directly from services and users, as well as impersonating people elsewhere.

Who's at risk?

Next time you're browsing the web, take a look at the top left corner of the address bar. If you see a little green padlock symbol, that's the indicator that the website you're using is likely protected by SSL. It's a standard encryption service used by almost every web company for some use or other and without it, almost nothing on the internet would be secure.

Of course, it's important to remember not all sites will use the vulnerable version – so don't panic and set fire to your PC just yet. But some estimates are putting the number of potentially affected sites at around half a million – including popular services such as Yahoo!.

Some security experts have recommended people change all their online passwords, though there's a great deal of confusion about what best practice actually is here. Google, for instance, has told its users they do not need to change their passwords, as the company patched its sites before Heartbleed was made public. And some experts have warned that many smaller sites may not be as fast in fixing the systems – so changing passwords for these could still expose both old and new passwords to attackers.

Whether or not you feel compelled to go out and come up with new passwords for everything, it's a perfect example of why you shouldn't reuse the same password across multiple sites – all it takes is for just one of these to be vulnerable to Heartbleed and your entire online life might be compromised. Yes, it's hard coming up with a new and memorable password every time you click the 'Sign Up' button, but believe us, it's worth the effort.

Are mobile apps at risk?

Much of the attention so far has been on websites that use the vulnerable software, but there have also been warnings that mobile apps using the same solutions could also be at risk.

Security firm Trend Micro explained: "Mobile apps, like it or not, are just as vulnerable to the Heartbleed bug as websites are because apps often connect to servers and web services to complete various functions." The company estimates five per cent of the top million domains are affected by the bug, so it's perhaps inevitable that some mobile apps will be caught up in this as well.

In fact, an initial scan of 390,000 Google Play apps turned up 1,300 that connect to vulnerable servers, including  15 bank-related apps, 39 that are online payment-related, and ten related to online shopping. A more detailed second round of scanning bumped this number up to 7,000.

"What we can advise you to do is to lay off the in-app purchases or any financial transactions for a while (including banking activities), until your favourite app's developer releases a patch that does away with the vulnerability," Trend Micro said.

This entry was posted in TECH and tagged on by sarahstooks
Return to previous post Return to Blog