I Am trying to find if an android application is vulnerable to heartbleed vulnerability. I want to know how to check if the application is vulnerable to heartbleed by reversing the app file.
1 Answers
Heartbleed is primarily a server-side vulnerability and not in the client. You, of course, cannot detect the server-side problem from examining the client-side code. Even if the client has very old SSL code, you don't know what the server is running.
You can test the server for heartbleed at https://filippo.io/Heartbleed/.
Heartbleed on the client will occur if the client is using a pre-fixed version of OpenSSL. The client vulnerability could only be exploited by a server that the client has contacted. That is, a server cannot find your client by snooping the network or anything of the sort. The client must initiate the contact.
A successful exploit will allow the server to read the process memory of the client. (Reading memory with Heartbleed is tricky and it may not be possible to read all of the process's memory, but let's ignore that.)
(Thanks to @StackzOfZtuff for helping with this edit)
- 14,621
- 4
- 38
- 55
-
1Clients were affected, too. See this question: [What clients are proven to be vulnerable to Heartbleed?](http://security.stackexchange.com/questions/55249/what-clients-are-proven-to-be-vulnerable-to-heartbleed) – StackzOfZtuff Jun 18 '15 at 17:05
-
Really? Didn't know that. So the attack would be that the server you are connecting to or have partially connected to tries to read your process's memory. Correct? – Neil Smithline Jun 18 '15 at 17:34
-
Yep. Seems to use the same faulty OpenSSL code. Not limited to server side. – StackzOfZtuff Jun 18 '15 at 18:42