The Heartbleed bug may not be impacting the Android platform itself anytime soon, but some of the most downloaded apps on the mobile operating system are still at risk.
A few weeks ago, the whole world learned of a critical vulnerability, dubbed Heartbleed bug, which exists in widely used versions of the OpenSSL library and can enable decryption of communications that use SSL/TLS encryption.
Last week, researchers with FireEye scanned more than 54,000 Android apps featured in the official Google Play store and learned that more than a hundred of them were vulnerable, Hui Xue, a senior engineer with FireEye, told SCMagazine.com in a Wednesday email correspondence.
A hundred apps may not seem like a lot, but Xue said that each of those apps was downloaded by as few as 100,000 users. Based on the findings, the team concluded that, as of April 17, about 150 million Android app downloads were vulnerable to Heartbleed.
Fortunately that number seems to be dropping, Xue said, explaining in a Tuesday post that a week ago, on April 10, the number was closer to 220 million.
“It is surprising that many people are still at risk,” Xue said. “App vendors should act fast to protect users and users should be more aware that these app updates are far more important than the standard ones they get pushed.”
Xue could not speak about which apps were still vulnerable, but said that some these were big name downloads that topped the charts in the Google Play Store. Games, productivity apps, and media apps were observed to be most vulnerable, Xue added.
“We have notified some app developers and library vendors, [but] there are possibly many developers that may have not updated their apps quickly,” Xue said. “Even for the ones that have pushed an update, in some cases users need to apply the update, meaning updated apps can still have individual instances of vulnerability to Heartbleed.”