Android and HeartBleed - Your Device May Be Vulnerable (so what should you do)?

Great.  Some versions of Android are also vulnerable to the HeartBleed bug.  Since I use an Android phone, I thought I better look into this.

First, I located someone else's article about this and noted that it contained too much technical detail for people who have no time for, or interest in these computer issues.  To be fair, it was a well-written article, and I had no problem understanding it, but then, I am a geek.  In fact I have been working in the field of Information Security for the past 11 years, and in many other computer-related positions for the 19 years prior to that.  However, I also know how painful it can be for anyone who does not deal with these things every day to understand what's going on, and what they can/should do about it.

Most people don't really CARE about the details, so I will continue to try to skip details and stick to facts and reasonably easy to follow information. The article I read (link if you wish to read it) provided the first simple thing that Android users can do to determine whether or not they should even care - a link to a FREE App from a respectable company named Lookout that scans your device to see if it is vulnerable.

https://play.google.com/store/apps/details?id=com.lookout.heartbleeddetector

I downloaded that immediately and ran the test.  In my particular case, the device I tested did indeed have vulnerable software, but the exploitable piece of it was not enabled.*   Here is what the App displayed on my screen:    

Well, that was a slight relief.  According to the App and the author of the article I read, if the version installed is not vulnerable, OR if the vulnerable behavior is not enabled, then I should be just fine. 

But what can/should we do about things if our device really is affected?  I needed to do more research into this, because some of you may not be as fortunate as I was, and I think an article such as this is pointless if it is not helpful to others.

Let's step back just a little bit first.  The question I hear most is "what, if anything, can someone steal from my phone?  My pictures? My text messages?". Then they say "I don't have anything I care about on my phone, so who cares?" 

Well, here is what you should care about:

An attacker could quickly build a malicious website or advertisement to steal data from your phone's memory, just by your visit to the malicious site, or a site with the malicious advertisement. To which the next question I hear is:  "So what?  What's in my phone's memory that I don't know about or that is of value to anyone else?"

Well, if you happen to be using that smart phone of yours to browse the Internet, and that browser has other tabs open to a banking site, facebook, other financial sites, and you also browse to that malicious site, or a site with that malicious advertisement within another browser tab, the attacker could take data from any of the other tabs that are open.  I won't go into the details of "how" they can do this, but please trust me when I say that they can.  I have had enough experience with hacking tools to know this to be true.

They "may" also be able to steal data from your phone's memory by visiting JUST their site, because your phone tends to keep this information in memory to help you access email, Facebook, and other applications without forcing you to re-enter your password every time.  They won't necessarily be able to steal a whole document, picture, other files from your phone, but they can easily steal your ID and password from any of those other sites by accessing your phone's memory.  Once they have your ID and password(s), it's game over.

What to do if your Android device is vulnerable:

Further research has revealed to me that a patch has been created by Google, but each Carrier/phone maker needs to test it and make sure it works on their devices before pushing it out to our phones.  As a result, it will take a fair amount of time for this new software to get out the the several million phones that are affected.  In fact, some phones may never be able to be upgraded to the version Google claims is not affected because they are simply not capable of running that version due to design limitations.

Sounds pretty gloomy, I know.  However, here are a few things that come to mind that you can do to reduce the risks of continuing to use your Android devices. This does NOT eliminate all risk, but it is less risky and something you can do while waiting for the patched software.

1. Restrict yourself to running only one App at a time.  Android allows us to run multiple applications at the same time which can be quite handy.  However, that also means the data for each is loaded into memory, which makes it more vulnerable to exposure by this HeartBleed bug.  To reduce this risk you should restrict yourself to running only one App at a time.  The problem is that every time you open an App, the previous App you had open remains open in the background.  Fortunately, Android allows us to close any one or more Apps we no longer want to keep running.  I won't spell out how to do this for every Android device, but here is a link to an article that does a pretty good job of explaining how to do this with several popular models:  http://blog.laptopmag.com/how-to-close-android-apps  My Samsung Galaxy phone simply requires that I hold down the center menu button and a list of running Apps will appear so I can close them.
2. Browse only one website at a time.  In other words, when finished with one site, close that site completely before browsing any other site.  If you happen to hit a malicious site, at least it won't be able to access information from other open sites becaus ethey will no longer be in the phone's memory.
3. Avoid using Android VPN client software unless/until it is patched.  If you happen to use your phone to connect to your work network, or some other secure site using a Virtual Private Network (VPN) App, you should look for a patched version because many of these were built using the vulnerable code.  Open VPN would efinitely fit into this category, but I'm sure there are many others that make use of the encryption software that is vulnerable. 

  
* Just FYI: the exploitable piece is the "Heartbeat" feature that was added 2 years ago which can be manipulated by an attacker to expose sensitive data; hence the nickname of Heart "Bleed" for this bug.