The Internet has been abuzz over the recently discovered Heartbleed bug. If you're not already familiar, Heartbleed is a vulnerability in the OpenSSL software library that allows an attacker to steal data directly from the memory space of an application and learn the private keys used to keep data securely encrypted as it travels over the Internet. The implications of this kind of leak are certainly severe, and it has everybody rushing to either install updates that fix the bug or implement workarounds to disable it.
As users, there's not a lot you can do to close this security hole on your device, but you might still want to know if you're vulnerable. That's where Bluebox Heartbleed Scanner comes in. The company is most widely recognized for the discovery and disclosure of the first "Master Key" vulnerability, but it has set its sights on the Heartbleed bug with an app that checks if either your version of Android or any of your installed applications are susceptible to attack.
Results for 3 different devices we've tested.
A piece of software is vulnerable if it uses a version of the OpenSSL library (1.0.1 through 1.0.1f) containing the recently discovered Heartbleed bug and if the heartbeat feature is enabled. If heartbeats are disabled, there's no way to exploit the weakness. While every version of AOSP from 4.1 and up contain vulnerable versions of OpenSSL, only Android 4.1.1 had the heartbeat feature turned on. However, it is possible that OEMs have switched heartbeat back on in their custom ROMs, but that's fairly unlikely.
The more important component of this app is its ability to scan for apps installed on your device that have bundled their own version of OpenSSL. Heartbleed checks these apps for the version of the library and if heartbeat is enabled and reports those that could possibly be in danger of an attack. If any apps do show up as vulnerable, you might consider reaching out to the developer, in case they somehow haven't already heard the news - but be careful not to overwhelm them. Of course, it's up to your own discretion if any app poses enough risk that it should be uninstalled or left unused until its developer issues a fix.
The Heartbleed bug was made public about a week ago and some have questioned exactly what data is at risk. There's no doubt that it can result in hacked accounts or leaked information, but it appears unlikely that it will actually lead to the exposure of any private SSL keys.
Update: It looks like the full SSL keys can be obtained through the Heartbleed bug.
If you want to discover potential weak points on your own device, Bluebox Heartbleed Scanner is free on the Play Store and only takes a few seconds to run.