5 Replies Latest reply on Apr 23, 2014 7:38 AM by Hector Meza

    Heartbleed Scanner

    Ritesh Gupta

      Bluebox has release a Heartbleed scanner which can quickly detect whether there are any vulnerabilities on a device.  The heartbleed scanner can look for apps installed on the device that have bundled their own version of OpenSSL and check the version of the library and whether heartbeat is enabled.

       

      The link to the app is at:http://files.bluebox.com/HeartbleedScanner_7.apk

       

      To read more about Bluebox: http://bluebox.com or contact 8e06eaa3-84d5-4d63-a675-14668e49f6b1

        • Re: Heartbleed Scanner
          Hector Meza

          I just installed the heartbeatscanner on two devices,  very helpful.  Would it be possible to have Bluebox expand the messaging to show which apps are exposing the OpenSSL threat?

           

          On my MC40 shows the OpenSSL is Vulnerable and heartbeats are enabled

          On my TC55 with GMS the OpenSSL is vulnerable but the heartbeats are not enabled.

           

          would be great to understand what the app found.

           

          HM

            • Re: Heartbleed Scanner
              Ritesh Gupta

              8e06eaa3-84d5-4d63-a675-14668e49f6b1 could you provide any additional details on how to view which apps are exposing the threat?

                • Re: Heartbleed Scanner
                  Jeff Forristal

                  Hello Ritesh et. al.,

                   

                  The current Bluebox Heartbleed Scanner will scan both the OS provided OpenSSL library, as well as apps.

                   

                  For the OS, generally speaking it was AOSP code circa 4.1.1 that had a vulnerable version + configuration of OpenSSL in the AOSP codebase (repo) w/ heartbeats enabled.  That said, any vendor is free to make adjustments to the openssl build configuration as part of their repo checkout & firmware build process -- that's the power of it being open source!  There were no CTS tests that would check for heartbeats or other openssl config changes (other than the typical functional testing stuff), which means it's really at the discretion of the vendor on whether they adjusted the configuration or not.

                   

                  As for apps, any app can bundle whatever native libraries they want.  The current Bluebox Heartbleed Scanner will check all non-copy-protected apps installed on the device, enumerate all the native libraries they include, and scan them to see if OpenSSL is embedded within them.  If it is, it will also check if heartbeats were enabled in that particular build.  The scanner will tell you every app that has bundled OpenSSL, the version, and whether it's a vulnerable version + has heartbeats.  You can see a screenshot of the individual app reports in the Google Play store:

                  Bluebox Heartbleed Scanner - Android Apps on Google Play

                   

                  Copy protected apps can't be scanned because, well, they are copy protected.

                   

                  cdfk46 is that what you were looking for, or did you have something else in mind?

                • Re: Heartbleed Scanner
                  Pietro Francesco Maggi

                  Usually this kinds of apps (I've used this one by lookout), report if the version of openSSL installed on the devices are affected by Heartbleed and if that option was enabled when building the library.

                   

                  Usually only up to Android v4.1.1 devices are affected.

                   

                  Why Heartbleed is disabled on android:

                  https://news.ycombinator.com/item?id=7596165

                   

                  This is the original bug report for flacky WiFi on Android:

                  http://code.google.com/p/android/issues/detail?id=34212