Heartbleed check for Android App

Question

How I can check whether a particular android app is vulnerable to heartbleed or not? I don't want to use any third party app. I have seen https://github.com/musalbas/heartbleed-masstest/blob/master/ssltest.py but I want to do it with app. I don't know the domain name the app is communicating to. Are the app bundle the OpenSSL libraries with apk, If yes how to find the version of OpenSSL being used.

@Solution: I have wriiten python module which takes an APK and it do the check for openSSL version and heartbeat extension.

import zipfile
import os
import re

def heart_bleed(tempdir, msl_outputfile):
    parrent_tempdir = tempdir.split('tmp')[0]
    sslpattern = re.compile("1.0.1[a-f]")
    flagssl = False
    flagheartbleed = False

    msllst_heartbleed = []
    msc_vulid = "heartbleed"
    msc_infoseverity = "Info"
    msc_medseverity = "Medium"
    apkpath = ''
    if (parrent_tempdir):
        for root, dummy_dirs, files in os.walk(parrent_tempdir):
            for allfile in files:
                if allfile.endswith(".apk"):

                    apkpath = os.path.join(root, allfile)

        #print(apkpath)
        with zipfile.ZipFile(apkpath, "r") as msl_apkread:
            for i in msl_apkread.namelist():
                if i.endswith(".so"):
                    data = msl_apkread.read(i)
                    if "part of OpenSSL" in data:
                        start = data.index("part of OpenSSL")
                        resultdata = str(data[start:start+40])
                        sslversion = re.findall(sslpattern, resultdata)
                        if sslversion:
                            flagssl = True

                            if "tls1_heartbeat" in data:
                                flagheartbleed = True

        if flagssl and flagheartbleed:
            print("The App is using OpenSSL version " + sslversion[0] + " which is vulnerable to Heartbleed and Heartbeat extension is enabled."))
        elif flagssl or flagheartbleed:
            print("The App is using OpenSSL version " + sslversion[0] + " which is vulnerable to Heartbleed but Heartbeat extension is disabled."))

Please comment is it right to do ?

Answer 1

It will be hard to test something without a tester. Android doesn't ship with a Test-App for Heartbleed (or any other security hole, such as the Master Key Exploit discovered about a year ago), as this would somehow defeat the purpose: Such a check-app must know about the security hole and how to check for it, and thus requires knowledge about that. If that knowledge is there, instead of writing an app to check for the hole, the devs rather should decide to fix it in the first place – which would make that app obsolete :)

So if a 3^rd party app is not acceptable for you, you're most likely out of luck. But in case you change your mind, you can find several security-checkers in this list. There's e.g. Heartbleed Security Scanner, which is pretty well rated (as of now, 4.6 stars with over 5,000 votes), and you can find it introduced in this AndroidPIT blog post.

Linked list category also holds some security suites covering multiple exploits and security risks, which might be a good choice to check if you're interested how it stands about security with your device.

Answer 2

Apps don't generally bundle OpenSSL themselves: rather, Android ships with OpenSSL included in the main framework, so in most cases it's the Android version that has or does not have the vulnerability, rather than the app itself. That said, it's certainly possible for an app to include its own OpenSSL, it's just unusual.

How does the Heartbleed security vulnerability affect my Android device? explains that only Android version 4.1.1 is vulnerable itself.

If the app contains a statically linked OpenSSL binary, and you don't want to use an app to check the behaviour, you have to unpackage the APK file to find the library.