BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

UK And Germany Double Down On Joint AI, Clean Energy R&D Efforts
Decarbonizing Heavy Transportation: Quantron's Michael Perschke On Pioneering Hydrogen Solutions
Bridging The Digital Divide In The AI Era - The UNDP Way
Big Tech Ramps Up Content Moderation Amid EU Pressure
Spain's Successful Miura 1 Launch Reignites Europe's Hopes For Space Exploration
UNESCO And The Netherlands Launch Initiative To Ensure Ethical Oversight Of AI
Edit Story
ForbesTech

A Billion Smartphone Users May Be Affected by the Heartbleed Security Flaw

Bob Egan
Former Contributor
Opinions expressed by Forbes Contributors are their own.
This article is more than 10 years old.

Heartbleed may be a billion times worse than you thought.

The Internet security world and the media have sounded alarms about potential vulnerabilities for consumers using “desktop” browsers to visit websites that may be running bogus server code. Yet little attention has been paid to the global problem of 40-60 billion active smartphone applications that may share some of those same servers or connect to their own group of servers that may also be compromised.

For three days now, I’ve been talking about this issue with various firms that specialize in mobile security, trying to get a handle on the issues and the risk.  The emerging consensus is this:

Mobile users carrying smartphones and tablets who are not protected by an enterprise mobile management (EMM) solution are at far more risk than employees who are enrolled in an EMM solution at work. But, nobody is off the hook.

Let’s talk about employees who are enrolled in an EMM solution at work first.

As I see it, their risk is contained. The OpenSSL Heartbleed does not affect most of the providers of EMM solutions. CIO organizations who use some combination of mobile device and mobile application management frameworks (MDM/MAM) to support employee mobile initiatives through enterprise IT can create a secure and manageable connection between the enterprise and employee enrolled devices. Indeed, Apple (for its iOS), BlackBerry (for its core platforms and its NOC), Good Technology (for its core platforms and its NOC), IBM (Maas360), Microsoft and MobileIron all have reported that their core products are unaffected by Heartbleed. SAP and Symantec continue investigating OpenSSL vulnerability.

As John Britton, Director, Office of the CTO at Good Technology, who himself was the victim of a bad app that found its way on to a personal phone he was carrying on an international trip told me, “We designed our Good Dynamics platform in anticipation of the need to protect enterprises from security threats like Heartbleed”.

No one can predict attacks. If you aren’t exposed, it’s more by luck than plan.

My sense is the more we, as an industry, continue to investigate our frameworks, the more issues that may surface.

Consider:

Google acknowledged that it uses a vulnerable version of OpenSSL in the Android OS but has the Heartbeat feature shut off since 4.1.2 version was released in 2012. Further the company is saying that all versions of Android are immune to HeartBleed except for Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners.

MobileIron issued a bulletin stating its platform was not affected but customers (<1%) who have installed its add-on BYOD Portal on-premise should check which version of OpenSSL their server is running.

BlackBerry is likely going to need to issue an update to its BBM client on Android

Citrix said that the XenMobile App Controller versions 2.9 and 2.10 are vulnerable, and it is continuing to resolve the issues.

AirWatch by VMware was unresponsive to my query, but I did notice a bulletin in the VMware knowledge base notifying users that the AirWatch MDM module was unaffected. No word on other AirWatch products.

Good Technology’s AppCentral was found to be vulnerable but has since been updated and new certificates issued. A customer bulletin is in the works.

As you can see, there is ongoing work needed by CIO organizations and their suppliers, to make sure that the risk exposure to their enterprise information and  employees remains contained. (I’ll keep tabs on the situation and will detail recommendations in a follow-up post.)

“The threat landscape is always evolving,” said Ojas Rege, VP Strategy at MobileIron. “Having EMM protection for business data and, in this case, for the secure transmission of data from device to enterprise, mitigates the risk of data and credential loss.”

For now, though, the biggest issue we face is the potential plight of the unprotected mobile user.

“There are known knowns; there are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don't know we don't know. —Donald Rumsfeld, United States Secretary of Defense

Whatever your politics, Rumsfeld’s theory rings true here.

Here’s how it breaks down for me:

  1. Known known. Smartphone and tablet users who have download applications from commercial app stores are exposed –that means all of us are vulnerable! The exposure comes mainly from an app connecting to a vulnerable server somewhere. Since at least 66% of servers connected to the Internet have a two-year exposure to this bug, we know there is a chance users may have already been compromised.
  2. Known unknown. What was comprised, or could still be compromised, is unknown. Stolen information could include private keys to applications, username/passwords, bank account or payment information. What’s more, someone may have listened, or still may be able to listen, to a VoIP call on instant messaging session. There is a glimmer of good news, however. We know that the HeartBleed flaw is limited to what secrets a bad guy can steal from a 64K area of memory on a server that can be tricked into spilling its guts.
  3. Unknown unknown. Security experts and system admins don’t know how pervasive the exposure is for Internet-connected, cloud and enterprise application servers. The only real certainty here is that mobility has far more scale than any “desktop” issue. More people carry phones, and there are more mobile applications -- both act as force multipliers to the cloud and other servers on the Internet that may have the OpenSSL vulnerability.

When I asked for his advice, Mark Gentile, Senior Technical Director, Mobile Workforce Productivity Group at Symantec, was blunt. “I’m not going to use my mobile banking app until I receive verification from my bank,” he said.

At first, that stance surprised me. But then, I heard the other security experts I talked echo the same recommendation. The problem is this: They may be waiting a long time before a bank actually signals an all clear. Even USAA, which was very forthcoming about its status and action on Heartbleed, made no mention of its mobile app and associated servers. When I tried to ask BankofAmerica about the security status of its mobile app/server solution, I was handed off into a PR blackhole. Likewise, the representative from Citi apparently became so frustrated trying to find the answer to my question that she actually gave up.

What this all means is that the average consumer mobile or employee user may not know that there is any risk. And although there is a mad rush to build tools to scan for Heartbleed on Android phones, foolproof solutions aren’t available yet. Their capabilities are still evolving; I’ve seen multiple updates in the past three days. Plus, keep in mind: These tools also have to be installed and manually run.

At the end of the day, this really big problem revolves around disclosure and knowledge.

As Jeff Forristal, Bluebox chief technical officer, explained to me, “Accepting risk is a personal decision; but that decision should be informed, and that's why we feel it's important to help educate people regarding the nature of the risk they are deciding upon.”

Well said.

And as I see it, Heartbleed exposes these five critical and somewhat uncomfortable truths for the mobile security industry:

  1. We may be leading consumers to the slaughterhouse. The mobile ecosystem consists of those who control the operating systems, the distribution channels (carriers in most cases) and the application stores -- and none of them ever step up as champions of consumer protection. That has to change.
  2. There is no consumer awareness. The average smartphone user isn’t making the connection between the “Heartbleed Internet bug” and his/her mobile device. Popular sentiment seems to be that this is a website problem and that any PC browser that is running malware protection should make everything “okay.” Of course, that’s all wrong. The truth is that Heartbleed has nothing to do with some fault in a browser, or desktop operating system – for a change.
  3. Mobile security is still evolving. Mobile security has only evolved to the maturity status of a late 1990’s desktop security model. Even if a server that is connected to a mobile app does the right thing by making a patch, users are typically left in the dark about new certificates and revoking the old ones—until the next time they go to run a favorite app and find that the icon just sits there in some unresponsive state. Mobile apps could be designed to query certificate revocation lists (CRL’s) and get a new certificates, but they don’t. It’s not clear to me right now that any of the mobile OS’s even allow that functionality.
  4. Our priorities need realignment. All of the mobile security issues I outlined above are being made far worse by the legions of developers who are tasked to write code (fast) with an emphasis looking good and features. Then, these applications talk to cloud and other servers that may be vulnerable. This is both a framework issue and a development environment problem. It doesn’t help that university college coursework includes a very minimal amount of security education.
  5. The economics of risk overshadow the exposure of risk silence in the mobile app economy. Fortunes are being made in mobile app stores. Retailers, Banks, Hospitality and the Advertising industries all benefit from mobile as a new high growth channel. Their silence about mobile potential vulnerabilities is an insurance bet that no material breech happens.

The problem is real. The threat verified.

Trend Micro scanned a mere 390,000 of some one million apps in Google Play. They found about 1,300 apps connected to vulnerable servers, including 15 bank-related apps, 39 online payment-related and 10 online shopping-related. Trend also identified a cadre of vulnerable instant messaging apps, health care apps, keyboard input apps–and most concerning, even mobile payment apps, “ripe for the cybercriminal’s picking.”

According to Ray Potter, CEO of SafeLogic, there could be more trouble ahead. “I think we haven’t seen the worst of the Heartbleed yet,” he said. “I can only imagine the tools, utilities and crawlers raced to be written by the bad  guys to grab certificates or keys for future exploits, even on patched systems.”

How’s that for unknown unknowns?

“Although Heartbleed is being talked about as an Internet bug, the core issue always comes back to trust.  How do you know you can trust your bank's web site, and why does your bank trust its app on your phone?  That's why we always think end-to-end when we create strong mobile security," said David Goldschlag, the CEO at MobileSpaces.

Perhaps most unsettling of all, there isn’t anything a mobile user can do to fix the problem, except to suggest that the apps associated with big brands may move quickly to remediate any vulnerability.

For IT pros, there is still plenty of work to be done.

Mark Gentile from Symantec summed its up nicely. “Here is the way that IT pros need to think about this: if you thought that an unknown number of people had made copies of the keys to your house, would you change the locks? Of course you would. This is no different. Change your locks.”

Stay tuned. I think we’re in for a long ride . . .  and it’s going to fundamentally change the way we look at mobile applications.

update: 4/11/2014 @ 8:30pm - Corrected Android revision info. Thanks to Michael Salinger @mjsalinger for pointing out the error

Bob Egan
Bob Egan