The Heartbleed bug is real, and it is not good. Unfortunately, the OpenSSL vulnerability that is causing us all headaches doesn’t just exist within websites, but also within mobile apps because many of them access the same servers that their website counterparts do. Android tablets and phones that run version 4.1.1 are also vulnerable. Google told DT over email that it believes that use of Android 4.1.1 is at “single digit percentages,” but that still means that up to 100+ million phones and tablets are vulnerable to the bug.
Updated on 4-15-2014 by Williams Pelegrin: GrubHub is not affected by the Heartbleed bug. Its status has been updated to reflect that.
Updated on 4-14-2014 by Williams Pelegrin: Added Box, Flickr, and Groupon apps. Also added updates for BlackBerry, Netflix, and TurboTax.
Updated on 4-11-2014 by Williams Pelegrin: Added GitHub and BlackBerry apps, updated Etsy with a statement, and included statements from Apple and Microsoft pertaining to their mobile operating systems.
Updated on 4-10-2014 by Josh Sherman: Added some more apps and a warning about in-app payment services that many apps use.
Before you begin, please read our How to Protect Your Device from Heartbleed Guide. It will explain more about the Heartbleed bug. We also have a robust list of Websites Affected by Heartbleed and Video Game Services Affected by Heartbleed.
Below, we’ve started a list of affected apps. This list is cross platform, so it affects all users. There are several million apps on the iTunes App Store, Google Play, Windows Phone Store, and Windows Store, but we have to start somewhere. Keep in mind that you should not change your password until a fix is issued for a service. Once it is, you’ll want to log out of your mobile app for a few minutes, change the password, and log back in. Remember that you can also enable two-factor authentication on many apps and services, which helps protect your account even if your password is compromised. Remember also that you can still use an app while it’s vulnerable, but that you should change the password once a fix is issued.
About in-app payments: We should note to readers that many apps on your devices use in-app payment systems powered by Apple, Google or Microsoft, depending on which OS you use. Both Apple’s and Microsoft’s system have been unaffected. Google’s in-app payment system has been fixed and you should change your Google/Android password if you use the Google Play Store. Remember that this vulnerability can only affects apps you log into, and most greatly affects those you can make transactions or bill to your credit card with.
About mobile operating systems: According to Apple, iOS did not incorporate “the vulnerable software.” Meanwhile, Microsoft says that Windows Phone does not use OpenSSL, while BlackBerry says its core products, which include BlackBerry smartphones, were not affected. In general, Android is not affected, though, as previously mentioned, Android devices running 4.1.1 are affected. For those with Android devices, we recommend downloading the Bluebox Heartbleed Scanner. It quickly checks whether your device is safe or not, as well as the apps that are on your device.
We will update this list constantly and flesh it out over the coming days and weeks.
Status Source Advice
Originally published on 4-10-2014.
