It’s been a number of weeks now, since we all learned about Heartbleed, what it did, and the level of risk to which it exposed broad segments of the internet. On the heels of the bug’s discovery, all the major websites acted quickly and decisively to plug the gap and make sure they were secure. For the most part, they are, but here’s where it gets interesting. Our love affair with hand helds and the apps that run on them may cause problems that haunt us for months, or even years to come.
A security firm called “FireEye” recently scanned more than fifty thousand apps to get a read on approximately how many were still vulnerable. The numbers are shocking, but probably should be taken with a grain of salt. The bottom line is, it’s estimated that around 150 million Apps are still vulnerable to Heartbleed.
Here’s what you need to know about the findings:
A similar scan taken at the first discovery of Heartbleed indicated a vulnerability of some 220 million apps, so we’re down considerably from the high, and still falling. Vast chunks of that 150 million number are also made up of apps that almost no one is using. These are poorly rated, ill supported apps that are unlikely to be downloaded and used to any great degree, and their own lack of support will cause them to vanish over time, so expect these numbers to continue to show improvement on two fronts in the months ahead. On the one hand, apps put out there by responsible developers will be modified, patched, and updated, as has been happening so far, and those security vulnerabilities will continue to disappear. On the other hand, poorly designed and supported apps which are helping to inflate these numbers will go away as users continue to shun them and they’re eventually simply removed from circulation.
Do It Yourself Checks
For websites, there’s actually a place you can go, type in a URL, and test to see if the site you frequent is vulnerable. Most of the time, you don’t even have to do that though, since responsive website owners have been placing prominent notes on their home pages about their status as it relates to Heartbleed. If you’re visiting a site that hasn’t made an announcement, there’s a way you can check.
For apps, not so much. There are a number of apps you can find on the Google Play store that claim to be able to check for Heartbleed vulnerability, but FireEye reports that only a handful of these are actually accessing the libraries necessary to actually tell you anything of use. Short of paying a company like FireEye to check for you, there aren’t currently any good ways to find out whether or not the apps you use on a regular basis are vulnerable.
One thing you can do is this; steer clear of apps with relatively few (under 100k) downloads, or which get less than 4 star ratings and appear to be supported and updated only irregularly, as these seem to be where the majority of the vulnerable apps live. You can also try contacting the company that makes and maintains the app, although the level of responsiveness you see will vary greatly from app to app and company to company. Still, making the attempt is better than not, and it’s a sensible move to make.