Skip to main content

Heartbleed-Check App for Android Released

They're looking for blood! Lookout Mobile Security has released a free app called Heartbleed Detector that checks to see whether an Android device is vulnerable to the Heartbleed bug. 

The Heartbleed bug, a serious error in an encryption library called OpenSSL that makes it devastatingly easy to grab supposedly secure data, mostly affects Web and email servers. However, Android 4.1.1 (a.k.a. Jelly Bean) does use a vulnerable version of the OpenSSL software.

MORE: Heartbleed: Who Was Affected, What to Do Now

Heartbleed Detector checks to see if you're running a vulnerable version of Android, and whether the vulnerable extension to OpenSSL is enabled on your device. However, the app can't fix the bug: Google, device manufacturers or wireless carriers will have to release an update that patches the vulnerability in Android 4.1.1.

There are some things you can do if Heartbleed Detector tells you you're vulnerable. First, check to see if your Android has any available updates. Most of the devices from the biggest Android hardware creators, such as Samsung and HTC, can upgrade to Android 4.4 KitKat, and even updates to later versions of Jelly Bean, such as Android 4.1.2, 4.2 or 4.3, would fix the problem.

However, some older devices or devices from smaller manufacturers haven't received updates beyond Android 4.1, or simply don't have the hardware requirements to do so.  If that's the case with your phone or tablet, there's little you can do, other than purchase a new device or stay clear of mobile banking, shopping and social-networking apps.

Lookout's Heartbleed Detector can't detect whether your apps or the websites you visit on your mobile device are affected by Heartbleed. Other tools exist for checking individual websites, such as Qualys' SSL test or LastPass' Heartbleed checker, which also tells you whether a site has renewed its security signatures.

No one has yet found evidence of anyone maliciously exploiting the Heartbleed bug on a mobile device, or anywhere else. Nevertheless, the bug is extremely serious, and now that it's known, cybercriminals will certainly not hesitate to take advantage of it on unpatched websites and systems.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

  • jeffreyliberty
    ------ untrue. The NSA has been using this vulnerability to snoop on us for at least 2 years.
  • Aweso

    That's the thing with this bug. It leaves no traces, that's why no one can confirm if they have been attacked or not.