Last Updated: April 12th, 2014

The Internet has been abuzz over the recently discovered Heartbleed bug. If you're not already familiar, Heartbleed is a vulnerability in the OpenSSL software library that allows an attacker to steal data directly from the memory space of an application and learn the private keys used to keep data securely encrypted as it travels over the Internet. The implications of this kind of leak are certainly severe, and it has everybody rushing to either install updates that fix the bug or implement workarounds to disable it.

As users, there's not a lot you can do to close this security hole on your device, but you might still want to know if you're vulnerable. That's where Bluebox Heartbleed Scanner comes in. The company is most widely recognized for the discovery and disclosure of the first "Master Key" vulnerability, but it has set its sights on the Heartbleed bug with an app that checks if either your version of Android or any of your installed applications are susceptible to attack.

rkEAjZj2014-04-11 18.22.10Screenshot_2014-04-11-11-22-01

Results for 3 different devices we've tested.

A piece of software is vulnerable if it uses a version of the OpenSSL library (1.0.1 through 1.0.1f) containing the recently discovered Heartbleed bug and if the heartbeat feature is enabled. If heartbeats are disabled, there's no way to exploit the weakness. While every version of AOSP from 4.1 and up contain vulnerable versions of OpenSSL, only Android 4.1.1 had the heartbeat feature turned on. However, it is possible that OEMs have switched heartbeat back on in their custom ROMs, but that's fairly unlikely.

The more important component of this app is its ability to scan for apps installed on your device that have bundled their own version of OpenSSL. Heartbleed checks these apps for the version of the library and if heartbeat is enabled and reports those that could possibly be in danger of an attack. If any apps do show up as vulnerable, you might consider reaching out to the developer, in case they somehow haven't already heard the news - but be careful not to overwhelm them. Of course, it's up to your own discretion if any app poses enough risk that it should be uninstalled or left unused until its developer issues a fix.

The Heartbleed bug was made public about a week ago and some have questioned exactly what data is at risk. There's no doubt that it can result in hacked accounts or leaked information, but it appears unlikely that it will actually lead to the exposure of any private SSL keys.

Update: It looks like the full SSL keys can be obtained through the Heartbleed bug.

If you want to discover potential weak points on your own device, Bluebox Heartbleed Scanner is free on the Play Store and only takes a few seconds to run.

Source: Bluebox

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • Raymond Berger

    On my device the only vulnerable apps it detected are:
    Readmill (on it's way out anyway so I doubt it will be patched)
    Spaceteam (I already emailed the dev)
    OfficeSuite (A really popular app that needs to be updated asap)

    • sean

      I do love some Spaceteam too!

  • Atomic Zombie

    Netflix is showing as vulnerable, hopefully it will get updated soon.

  • Sir_Brizz

    The device check is kind of silly. I sure hope your device isn't configured to accept SSL connections...

  • rmagruder

    Netflix, Facebook, BOTH vulnerable

    • Raymond Berger

      Do you have the latest version of Facebook? It doesn't detect it as vulnerable for me.

    • Stone Cold

      I gave up Facebook app when they started wanting to write emails on your behalf without your knowledge.

  • Ricardo Kummel

    Angry Birds is vulnerable...

  • DavidRuddock’sBrowserHistory

    Only people with something to hide care about security. - David Ruddock

    • orle

      Well, why didn't you said so. You should let me have remote access to your computer. The password to your phone, also your address, heck, just give me the keys to your house :P

  • humulos

    I assume that if an app is green it is fine? PS Touch and Angry Birds are both green, Netflix and Hero Academy are both vulnerable, emailed devs.

  • Mike Harris

    • Words (I'm assuming this is Words with Friends)
    • Candy Crush (as if I needed more of a reason to get rid of this POS game)
    • Netflix

  • ather akber

    Contacted devs of Candy crush and farm heroes and BBM cuz these were the apps listed in red on my N9005

  • Jalok Xlem

    Oh man, 3 apps says that I'm vunerable:
    Only One: Meh. I already beat that game anyway. Uninstall
    Office Suite: ...fudge! Uninstall! Good thing I only had to pay $0.25 for it.
    Doom Touch (Contains OpenSSL): ...but I like Doom. :'(

  • http://www.emuparadise.me/roms-isos-games.php Apple is a patent troll

    None of my apps are vulnerable which is good.

  • deltatux

    Only BBM is vulnerable on my end even though Facebook has been reported. I'm using the beta version so I guess it was patched there.

    • http://flavors.me/sabret00the sabret00the

      In typical Blackberry fashion, they'll be in no rush to get a fix out.

  • http://www.facebook.com/tony.damiani.pr Tony Damiani

    Nice little app. All King.com games are vurnerable... kik messenger and HP Print Service Plug In... Oh Lord..!

    • USiT

      HP Print service has heartbeats disabled so its not vulnerable

  • black

    If you ask me, heartbleed was introduced by the NSA to eavesdrop on everyone, would be a statement I can't agree with.

    • white

      Heartbleed has nothing to do with "eavesdropping". It is the Heartbeat for OpenSSL.

  • Vasilis K.

    Osmos HD and Cogs vulnerable...

    • Martin B.

      Same 2 games are vulnerable on my devices... I will contact developers about this...

  • creator78

    Capital one's app and MLB at bat app are both vulnerable

  • BlackAce15
  • taz89

    Wierd that Netflix still shows up as vulnerable even though other sites listing sites that have patched the holes has Netflix as patched and with a new cert

  • Dhruv Aggarwal

    Facebook is vulnerable ...

    • http://www.emuparadise.me/roms-isos-games.php Apple is a patent troll

      Of course it would be, how else are they going to get your information it they can't spy on you.