Heartbleed Bug: Time to Check your Android Device


Heartbleed DetectorLast week’s most important news was the discovery of a bug named ‘Heartbleed’, an OpenSSL vulnerability used by thousands of servers, programs and applications that could allow third parties to steal your valuable data by intercepting connections considered to be safe. Most web services claim they have already patched their software, but mind you, there are still many companies and web services that have not yet spoken about their patching status, which only adds insult to the injury.

There are many online tools that can help to diagnose what services are secure or not, but let’s not forget that Android itself uses OpenSSL (along with a good bunch of apps) and this is where these three Heartbleed Scanner apps come into play.

The purpose of these apps is simple: they scan your device to check your Android version and determine what version of OpenSSL is being used. After the scan, they will show a report in which you will see if your device is vulnerable to this bug. The following three tools are completely free, very small sized and they detect vulnerabilities in a matter of seconds.


Bluebox Heartbleed ScannerBluebox Heartbleed Scanner will perform a scan on your system and on the libraries of each application to check if they are secure or affected by the bug.

CMSecurity Heartbleed DetectorCMSecurity Heartbleed Detector is another app that will detect whether your system and installed apps are vulnerable to the OpenSSL bug.

Lookout Heartbleed DetectorLookout Heartbleed Detector is a very good and fast scanner that will scan your system for the OpenSSL vulnerability. It won’t scan apps, though.

All these apps’ sole purpose is reporting if your system or apps are vulnerable to the Heartbleed Bug. They won’t attempt to fix or patch them, as it is the developers’ responsibility to update and patch their respective apps. It is up to you to keep a vulnerable app installed and wait for an update from the developer, or uninstall it altogether.


Free Mobile Apps of the Week

1.  Bluebox Heartbleed Scanner

For Android 2.3.3 and up
Size: 35 KB
Download: https://play.google.com/store/apps/details?id=com.bblabs.heartbleedscanner


2.  CMSecurity Heartbleed Detector

For Android 2.2 and up
Size: 280 KB
Download: https://play.google.com/store/apps/details?id=com.cleanmaster.security.heartbleed


3.  Lookout Heartbleed Detector

For Android 2.2 and up
Size: 219 KB
Download: https://play.google.com/store/apps/details?id=com.lookout.heartbleeddetector


Get your own favorite app published! Know a free and neat app? Then why not have it published here and receive full credit? Click here to tell us your suggestion.

Click here for more items like this. Better still, get the latest articles about mobile apps delivered daily via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.


Please rate this article: 

Your rating: None
Average: 4.3 (3 votes)


I just used both Bluebox and CM on my Galaxy Fame running 4.1.2 and find Bluebox to give fuller results. It states that the phone is running OpenSSL 1.0.1c but heartbeats are disabled so it is safe, and that one app (Virginmedia Smartcall) is using 1.0.0a and advises contacting the developer for further advice.

In contrast the CMSecurity app gives no information on the OpenSSL version on the phone and simply lists all the apps present with all marked safe.

First impressions would tend to suggest going with Bluebox.

I tried all three suggested apps. Curiously I found a difference between Bluebox Heartbleed Scanner and CMSecurity Heartbleed Detector. heartbat scanner declared that Navfree contains openSSL 1.0.1f with heartbeats enabled and therefore vulnerable. But CMSecurity found no such danger in Navfree.

Thanks for the feedback, todama. Each app uses a different approach when it comes to OpenSSL scanning, but BlueBox's method is -apparently- a bit more exhaustive, and one of its main advantages is that it shows the specific OpenSSL version a vulnerable app is using. CMSecurity Heartbleed Detector is not bad, but I would take BlueBox's word for the time being. However, if both apps flag an app as vulnerable, there is no room for doubts. According to the latest info, the only secure OpenSSL version is 1.0.1g, along with the old 0.9.8 and 1.0 versions. All the rest are vulnerable, including the 1.0.2 beta versions, so check that when installing an app. As for Android itself, although it looks like JellyBean 4.1.1 is the only truly vulnerable version to Heartbleed, the other versions are not 100% safe either. You can read a complete report from BlueBox Security here: https://bluebox.com/blog/technical/heartbleed-bug-impacts-mobile-devices/

Having tried both apps I thought it responsable to report my findings to the community.
Your answer is perfectly logical and corresponds to what I figured out.