14 DAY TRIAL // Recently, a report has emerged on the fact that certain applications available on Android are vulnerable to the Heartbleed Bug, and it seems that more of them are actually affected by this security issue.
According to a new blog post from TrendLabs, a bundled OpenSSL library could actually render more apps vulnerable to said bug.
As reported by it, the bug in OpenSSL, that was integrated in the mobile operating system, affects only the Android 4.1.1 OS version, something that Google has already acknowledged.
However, researchers at TrendLabs now claim that all apps installed with OpenSSL, that is used for establishing SSL/TLS connections, could be affected by the Heartbleed Bug, and that they can be compromised to leak user information from the device’s memory.
Moreover, the team claims that the issue is present even on handsets and tablets that do not run under the affected platform iteration itself.
They note that 273 applications in Google Play were found to be bundled with the standalone affected OpenSSL library, thus being vulnerable on any device on which they are installed.
“In this list, we see last year’s most popular games, some VPN clients, a security app, a popular video player, an instant message app, a VOIP phone app and many others,” the TrendLabs notes in the aforementioned blog post.
“As you may well know, the OpenSSL library is used by apps for secure communications. Lots of apps are from top developers. We also found the vulnerability in the older versions of Google’s apps.”
The post also notes that reverse client-side Heartbleed attacks are possible in the event that the remote servers to which said apps connect are compromised.
Such an attack could also expose a device’s memory to cybercriminals, which could lead to feeding of sensitive information about the user, if it is stored in apps locally.
Users that connect to a service via a vulnerable VPN client or VOIP app may lose private keys or other credential information, which could result in stolen identity.
The team of researchers advises developers to update as soon as possible the OpenSSL library, and to publish the new versions of their apps to users.
“For general users, you need to be aware of the fact that your clients are able to leak information, no matter how secure the remote server is, or the good reputation or trustworthiness of the app developer,” the blog post continues.
“You should also update your apps as soon as a fix is made available. Google is currently distributing patching information for the affected Android version—you should also check if an update is made available for your device.”
Previously, TrendLab said that around 7,000 apps in the Google Play store were found to be affected by the vulnerability, and it seems that around 1,000 of them have already been patched.