The Internet is a great thing when it comes to constant, instant access to a great deal of services, but it is not a secure place, that’s for sure, and a severe flaw in OpenSSL that has been discovered recently proves that once again.
Known as the Heartbleed bug, the security hole could result in data theft even when SSL/TLS encryption was in place.
Initially found to affect a wide range of websites out there, the bug was then found to affect mobile devices as well. In fact, it seems that a great deal of mobile applications pose a risk in this regard, especially those that work by connecting to a server.
Moreover, Google themselves confirmed a few days ago that, after patching services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine, it also discovered that Android 4.1.1 is affected by the bug.
“All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners),” the company said in a blog post.
However, although most Android versions are not affected, this does not mean that users are safe, especially those who use a great deal of applications, as a recent post on TrendLabs’ blog reads.
According to them, apps that link users to social networking sites through their own, in-app browsers, could prove a liability (though this does not mean that social networks are vulnerable).
The company also notes that it has already discovered around 1,300 apps in the Google Play Store that are vulnerable to the Heartbleed bug, including bank, online payment, and online shopping-related apps.
“We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps–and most concerning, even mobile payment apps,” said blog post explains.
“These apps use sensitive personal and financial information—data mines just ripe for the cybercriminal’s picking.”
TrendLabs also notes that there’s actually little users can do on the matter, and that developers of these apps are those who need to patch their software in order to remove the flaw.
“This means upgrading to the patched version of OpenSSL, or at least turning off the problematic heartbeat extension,” said blog post explains.
Users, however, can protect themselves through laying off in-app purchases and financial transactions from their mobile devices for a while, until developers find a solution to the issue and patch their apps.