April 9, 2014

Heartbleed Detector: Check If Your Android OS Is Vulnerable with Our App

lookout-heartbeat-detector

Monday, the world learned about a critical bug in OpenSSL called “Heartbleed.” It severely compromises the integrity of secure communications and there isn’t a whole lot consumers of the Internet can do to protect themselves.

But, of course, knowledge is power, so we’ve created the Heartbleed Detector, an app that will tell you if you’re running a vulnerable version of Android on your phone. While everyone has been talking about how Heartbleed affects servers and Internet infrastructure, it also affects mobile devices. Our detector app will help you figure out if your device is one of them.

You can download it here.

What is Heartbleed?

Heartbleed is a software flaw in the OpenSSL “Heartbeats” function that helps keep secure connections alive. This function was found to be vulnerable to manipulation in a way that allows an attacker to steal up to 64K of data at a time from the active memory of affected systems. The bug, found by researchers from Codenomicon and Google, and filed with the following reference number – CVE-2014-0160, impacts any infrastructure that includes the affected versions of OpenSSL.

How does the detector work?

This app determines what version of OpenSSL your device is using and then checks to see if the specific vulnerable feature called Heartbeats is enabled.

This app is not meant to fix this vulnerability, as this will need to be patched by Google or your device manufacturer, and it is only meant to keep you informed about the status of your device. The good news is that Lookout has not yet seen the Heartbleed vulnerability exploited on a mobile device, but you can stay updated with the latest information on our blog at blog.lookout.com.

The detector also doesn’t detect if websites or other online services you use are vulnerable — more about that below.

What should I do if I’m vulnerable?

If your device is vulnerable, you can check in your Android settings to see if you have any System Updates. If you do, update your operating system to make sure you’re running the newest version of Android available for your device.

Unfortunately, if there are no updates available, there isn’t anything you can do. It’s up to the infrastructure teams behind the products and services you use to update their systems. The good news is that we have yet to see any attacks targeting a mobile device, and while this is a credible risk, the likelihood of you encountering an exploit is low.

Will it protect me from affected websites?

No. This app will not detect if any of the services or accounts (the apps and websites you visit) on your device are vulnerable and is only meant to detect vulnerabilities in Android.

In other words, your operating system might be fine, but the websites you’re accessing might not. We suggest contacting your service providers to ask what steps they have taken to protect their systems from Heartbleed.

Should I change my passwords?

Not yet! Wait to hear from the services with which you have an account. Because the vulnerability pulls data from the active memory the affected systems, your password might not have lived in this data. If you change it now, you give anyone who exploits a still-vulnerable site access to your new password.

This vulnerability is one of the most widespread we’ve seen yet, affecting two-thirds of the Internet. We encourage companies to alert their consumers when their infrastructure has been shored up, letting account-holders know it’s safe to change their password.

Is Lookout all patched up?

Yes! Anyone coming to the Lookout app or our website is safe. Our web infrastructure was not impacted by the flaw, and we have already patched all other vulnerable systems.

As a precautionary measure we have also replaced all SSL certificates which may have been exposed by this flaw.
You can check out Lookout’s blog post on Heartbeat here.

43 comments
  1. Darlene Bell says:

    Thank you for your prompt attention.

  2. Nick says:

    Thanks for the prompt notice and action. You are the 1st to let me know.

  3. j pettigrew says:

    And for this reason I love my lookout! Lookout is protecting me before I even heard of this heartbleed. THANK YOU SO MUCH LOOKOUT!!!

  4. Roberta Smith-Milan says:

    No disrespect intended, but how do we know that this post is legitimate and not leading us to Heartbleed? I’ll admit, I’m not super tech savvy, but I have learned to be suspicious. Thanks for your reply.

  5. Kellie Bond says:

    Thank yall! I use yall on all my devices! #LookoutRocks

  6. dud says:

    this does not fix anything people.
    also email from google play is invalid
    and your app directs you to the home app of yours, but nothing gets fixed.

  7. Leonardo F. Cabrera says:

    Thank you for the Heartbleed alert! Lookout is a great, efficient and classy operation! We appreciate the company and employees efforts!
    Your software detected that my Samsung Android phone’s version 1.0.1e of OpenSSL is not, but could be affected by the bug. Can you let Google know? Are both companies working to resolve the vulnerability?
    Let me know of any update. Thanks!

  8. Jon says:

    I am very happy to have lookout and to have lookout lookout for me.thank you very very much

  9. jorge molina says:

    What is the fix? My device is vunerable but not affected.

  10. Meghan Kelly says:

    Check out our FAQ on next steps for users! https://faq.lookout.com/topics/31915614-heartbleed-detector-faq

  11. Meghan Kelly says:

    We can assure that this app was not made to exploit the Heartbleed vulnerability. Instead, we check to see if your phone is running a version of Android that has a vulnerable version of OpenSSL. From there we look to see if the Heartbeats function, where the actual vulnerability lives, is turned on. If it is, we’ll alert you.

  12. CARLOS says:

    YOU GUYS ARE GREAT.,THANK YOU SO MUCH FOR LETTING ME KNOW..

  13. Heart bleed is affecting my phone what should I do?

  14. Cynthia says:

    Thanks so much for letting me know, surprisingly I just read an article about this ” heartbleed” thing and then I immediately got an email from you guys! Thanks so much for looking out for me and all the other customers!! We love u guys ❤

  15. Thank you so much Lookout for sending me the alert about
    Heartbleed. I love you guys!!!

  16. JOSHI says:

    Thanks for heads up, keep doing good job guys!

  17. ladyhawke says:

    Thank you for being in the lead on this. It’s a shame the other software providers & websites cannot be this fast & forthright.

  18. denise says:

    Thank you

  19. Miguel Cortes says:

    THANK U SO MUCH!!!!! LOOKOUT FOR PROTECTING ME N LETTIN ME KNOW….

  20. Dixie wiley says:

    Thanks for being there for everyone. Even the local carried this alert over twelve hours AFTER your alert. I think your great.

  21. Jose Magalhaes says:

    Thank you for the big help. I hope we are all protected

  22. Victor Duncan says:

    Thanks Lookout! You guys have been great since day one! I tell & will retell all my friends on Facebook! Keep up the great work. Feel free to post this on my FB Like status.

  23. Jenson Romano says:

    Just wear a condom ! Protect yourself!!

  24. Why not provide an APK? says:

    Yes, Google’s platform is one way to distribute apps for Android, but why not provide an apk for those of us prefer not to or can’t use it?

  25. riley benge says:

    I want to thank you and your team for the security you give me, Lookout is really one of the best if not the best security system i have found, sence i have Lookout i know i can go on with my business without have to worry about my cell being hacked, Job well done…

  26. Melena says:

    Yesterday Lookout was running ALL the time and killed my battery so I uninstalled it. Also corrupted my card, lost over 600 pics and music etc. Was this related to this virus?

  27. philA says:

    This is a snake oil marketing ploy by a smartphone security company.

    Heartbleed is predominately and issue with a Server that accepts SSL connections going TO IT, not necessarily the client software on an endpoint like a smartphone.

    Even is Android is running a vulnerable client, the need to fix it is of lower priority than it is to fix SERVERS running the vulnerable application.

  28. julie says:

    Thanks for your efforts and this app.
    Hope everything come to normal.

  29. kelvin says:

    How will I know if my information is compromised by a site or if my phone is vulnerable

  30. dolores rafdal says:

    When i try to go to your blog page, it says “ERROR 404″ & also a blank window appears. What’s up with that?

  31. steven says:

    Thanks and I found out bout 5 days ago threw McAfee notifying me about heart bleed but I’m happy to have lookout

  32. ash says:

    Thank you Bc you are the first to let me know.

  33. Meghan Kelly says:

    We’re glad we could help keep you informed!

  34. Meghan Kelly says:

    We’re glad you have Lookout, too!

  35. Meghan Kelly says:

    Hey Dolores, we’re not sure what’s up with that! Send us more info? support [at] lookout [dot] com

  36. Meghan Kelly says:

    Kelvin, you can check to see if your device is vulnerable by downloading our Heartbleed Detector app for Android! https://play.google.com/store/apps/details?id=com.lookout.heartbleeddetector

    Check out our Heartbleed FAQ for more info: https://faq.lookout.com/topics/31915614-heartbleed-detector-faq

  37. Meghan Kelly says:

    Melena, that shouldn’t happen. Contact us at support [at] lookout [dot] com and provide us with a little context around what happened?

  38. Meghan Kelly says:

    Thanks for suggestion. Email us at support [at] lookout [dot] com

  39. Meghan Kelly says:

    We’re glad we could help keep people up to date and informed. :)

  40. Meghan Kelly says:

    Hi Jorge, check out our FAQ page for more information on how to respond! https://faq.lookout.com/topics/31915614-heartbleed-detector-faq

  41. maria virgínia says:

    I love so much LOOKOUT !!! Thanks for all.♡♡♡

  42. Doris Wittmann says:

    Kenn mich nimmer aus..Lookout hat mein Passwort geändert! Warum können die alle , die hir gepostst haben, kein richtiges deutsch? Ist einwenig komisch!

  43. Doris Wittmann says:

    Das hab ich so ned geschrieben! Ist ja alles durcheinander! Was ist da los?

Leave a comment