The Heartbleed bug is real, and it is not good. Unfortunately, the OpenSSL vulnerability that is causing us all headaches doesn’t just exist within websites, but also within mobile apps because many of them access the same servers that their website counterparts do. Android tablets and phones that run version 4.1.1 are also vulnerable. Google told DT over email that it believes that use of Android 4.1.1 is at “single digit percentages,” but that still means that up to 100+ million phones and tablets are vulnerable to the bug.
Updated on 4-15-2014 by Williams Pelegrin: GrubHub is not affected by the Heartbleed bug. Its status has been updated to reflect that.
Updated on 4-14-2014 by Williams Pelegrin: Added Box, Flickr, and Groupon apps. Also added updates for BlackBerry, Netflix, and TurboTax.
Updated on 4-11-2014 by Williams Pelegrin: Added GitHub and BlackBerry apps, updated Etsy with a statement, and included statements from Apple and Microsoft pertaining to their mobile operating systems.
Updated on 4-10-2014 by Josh Sherman: Added some more apps and a warning about in-app payment services that many apps use.
Before you begin, please read our How to Protect Your Device from Heartbleed Guide. It will explain more about the Heartbleed bug. We also have a robust list of Websites Affected by Heartbleed and Video Game Services Affected by Heartbleed.
Below, we’ve started a list of affected apps. This list is cross platform, so it affects all users. There are several million apps on the iTunes App Store, Google Play, Windows Phone Store, and Windows Store, but we have to start somewhere. Keep in mind that you should not change your password until a fix is issued for a service. Once it is, you’ll want to log out of your mobile app for a few minutes, change the password, and log back in. Remember that you can also enable two-factor authentication on many apps and services, which helps protect your account even if your password is compromised. Remember also that you can still use an app while it’s vulnerable, but that you should change the password once a fix is issued.
About in-app payments: We should note to readers that many apps on your devices use in-app payment systems powered by Apple, Google or Microsoft, depending on which OS you use. Both Apple’s and Microsoft’s system have been unaffected. Google’s in-app payment system has been fixed and you should change your Google/Android password if you use the Google Play Store. Remember that this vulnerability can only affects apps you log into, and most greatly affects those you can make transactions or bill to your credit card with.
About mobile operating systems: According to Apple, iOS did not incorporate “the vulnerable software.” Meanwhile, Microsoft says that Windows Phone does not use OpenSSL, while BlackBerry says its core products, which include BlackBerry smartphones, were not affected. In general, Android is not affected, though, as previously mentioned, Android devices running 4.1.1 are affected.
For those with Android devices, we recommend downloading the Bluebox Heartbleed Scanner. It quickly checks whether your device is safe or not, as well as the apps that are on your device.
We will update this list constantly and flesh it out over the coming days and weeks.
|AOL apps||UNAFFECTED||Was not running affected software -Mashable. Includes services such as AIM, AOL app and more.||YOU’RE GOOD|
|Amazon||UNAFFECTED||“Amazon.com is not affected.” -Mashable. Includes apps such as Amazon, Audible, Kindle, Amazon MP3 and Amazon App Store||YOU’RE GOOD|
|Apple and iOS||UNAFFECTED||“iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.” -Mashable. Includes in-app payment system for iOS devices.||YOU’RE GOOD|
|Banking Apps (Most)||UNAFFECTED||Chase Bank, Citi, Capital One, Bank of America, TD Bank, U.S. Bank and Wells Fargo all state they have not been affected. If yours is not listed assume it is possibly at risk and contact your bank for more information||YOU’RE GOOD|
|Best Buy||UNAFFECTED||GitHub/Filippo||YOU’RE GOOD|
|BlackBerry apps||VULNERABLE||BlackBerry will roll out a patch for Android and iOS users of BlackBerry Messenger shortly. BBM on Android/iOS and Secure Work Space for Android/iOS are affected.||WAIT|
|Bitcoin||UNAFFECTED||Bitcoin was patched to address the OpenSSL issue, but it has no affect on your locally stored passwords and wallets on your device.||YOU’RE GOOD|
|Box||FIXED||“We’re currently working with our customers to proactively reset passwords and are also reissuing new SSL certificates for added protection||CHANGE PASSWORD NOW|
|Dropbox||FIXED||“We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe.” – Mashable||CHANGE PASSWORD NOW|
|eBay||UNAFFECTED||“When you login to eBay using your user name and password these details were not exposed to the OpenSSL vulnerability.” – Mashable||YOU’RE GOOD|
|Etsy||FIXED||Part of its infrastructure was vulnerable, though it has been patched.||CHANGE PASSWORD NOW|
|Evernote||UNAFFECTED||Evernote reports that it does not use OpenSSL to secure its Evernote app services.||YOU’RE GOOD|
|Fandango||OTHER||Not affected by Heartbleed, but has been accused of not verifying SSL security. You should change your password anyway.||CHANGE PASSWORD NOW|
|Facebook apps||FIXED||“We added protections for Facebook’s implementation of Open SSL before this issue was publicly disclosed.” Also includes services that use your Facebook account to log in, such as Spotify.||CHANGE PASSWORD NOW|
|Flickr||FIXED||CHANGE PASSWORD NOW|
|GitHub apps||FIXED||There are no official GitHub apps, though Gitty and iOctocat are third-party clients that make extensive use of GitHub’s API. GitHub patched the vulnerability, and asked users to change their passwords, enable two-step authentication, and “revoke and recreate personal access and application tokens.” – Mashable||CHANGE PASSWORD NOW|
|Google apps and Android||FIXED||“We have assessed the SSL vulnerability and applied patches to key Google services.” – Mashable. Includes all Google accounts, services and in-app payment system.||CHANGE PASSWORD NOW|
|Groupon||UNAFFECTED||“Groupon.com does not utilize a version of the OpenSSL library that is susceptible to the Heartbleed bud” – Mashable||YOU’RE GOOD|
|GrubHub||UNAFFECTED||It is “secure and not vulnerable to the Heartbleed bug.”||YOU’RE GOOD|
|Hulu||FIXED||CNN Money||CHANGE PASSWORD NOW|
|FIXED||“Our security teams worked quickly on a fix and we have no evidence of any accounts being harmed.”||CHANGE PASSWORD NOW|
|UNAFFECTED||“We didn’t use the offending implementation of Open SSL…” – Mashable||YOU’RE GOOD|
|Lookout Security||UNAFFECTED||Lookout reports it has been unaffected by the security flaw||YOU’RE GOOD|
|LastPass||UNAFFECTED||LastPass was unaffected but websites you use LastPass with may have been. Your master password is safe.||YOU’RE GOOD|
|Microsoft apps||UNAFFECTED||“Microsoft Services were not affected” -LastPass. Includes all services such as Bing, Skype, payments in the Windows Store app, etc.||YOU’RE GOOD|
|Netflix||FIXED||“Like many companies, we took immediate action to assess the vulnerability and address it.”||CHANGE PASSWORD NOW|
|Pandora||UNAFFECTED||Reported as not vulnerable to Heartbleed||YOU’RE GOOD|
|Paypal||UNAFFECTED||“Your PayPal account details were not exposed in the past and remain secure.” – PayPal||YOU’RE GOOD|
|FIXED||LastPass||CHANGE PASSWORD NOW|
|Snapchat||UNKNOWN||Reported as not vulnerable to Heartbleed||WAIT|
|Steam||FIXED||Appeared on Git 10,000 vulnerable list – now fixed according to Heartbleed tester||CHANGE PASSWORDS NOW|
|Stripe||FIXED||This payment service patched its system and recommends you change your password.||CHANGE PASSWORDS NOW|
|Target||UNAFFECTED||Does not “currently believe that any external-facing aspects of our sites are impacted by the OpenSSL vulnerability” – Mashable||YOU’RE GOOD|
|TurboTax||UNAFFECTED||“TurboTax engineers have verified TurboTax is not affected by Heartbleed.” It is “not proactively advising you to do so,” but better safe than sorry. – Full Statement||CHANGE PASSWORDS NOW|
|Tumblr||FIXED||“We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.” – Mashable. Tumblr still recommends you change your password.||CHANGE PASSWORDS NOW|
|UNAFFECTED||“We were able to determine that [our] servers were not affected by this vulnerability” – Twitter||YOU’RE GOOD|
|Walmart||UNAFFECTED||“We do not use that technology so we have not been impacted by this particular breach.” – Mashable||YOU’RE GOOD|
|Wikipedia||FIXED||“The vulnerability has now been fixed on all Wikimedia wikis” – Only affects you if you login at Wikipedia.org||CHANGE PASSWORDS NOW|
|WordPress||UNKNOWN||It has “addressed the Heartbleed OpenSSL exploit,” but no word as to when its SSL certificates will be replaced and when you can change your passwords. It was||WAIT|
|XDA Developers||FIXED||Appeared on Git 10,000 vulnerable list – now fixed according to Heartbleed tester||CHANGE PASSWORDS NOW|
|Yahoo apps||FIXED||Yahoo Homepage, Search, Mail, Finance, Sports, Food, and Tech were patched. More patches on the way. – Mashable. Flickr has also been patched.||CHANGE PASSWORDS NOW|
Originally published on 4-10-2014.