Probably you have heard about Heartbleed during the last days, and that as a consequence you should change your passwords.
While this is a very good advice for general Internet users, if you’re a mobile developer, web developer or you’re a product manager of an application, there are some more steps you should take to make sure your users are safe.
First of all, what is Heartbleed? It is a vulnerability found in the SSL/TLS implementation of the OpenSSL library. In plain words, servers that admit encrypted data (for example, to check the username and password in a login form) use some SSL library. Very probably that library is OpenSSL and it might have a bug that allows attackers to remove encryption and steal data.
Additionally, OpenSSL can be used in a mobile application to make SSL connections to a server. These applications should also be reviewed.
Is that bug serious? Yes, pretty serious. Thanks to the popularity of this library, it is estimated that 66% of all servers on the Internet have been affected. It allows attackers to read random chunks of RAM memory. This memory might contain the SSL server certificate private key, your active user’s passwords and the recently transmitted data, unencrypted.
Secure your servers
Most affected servers are Linux and UNIX based. If you think yours might be affected, you can use online services to verify: Qualys SSL Labs provides a comprehensive scan of your server’s SSL configuration, and Filippo Valsorda’s test page a more intuitive tool.
Also you can check the libraries installed on your server:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
- If you’re running an OpenSSL 1.0.1x version, you should install the latest version to fix the bug.
However, that’s unfortunately only the first step.
Replace your SSL certificate
If your server was vulnerable, then it is possible that the SSL certificate private key was stolen. Unfortunately there is no way to tell whether it was or not, so if in doubt you should replace your SSL certificate with a new one as a prevention measure.
Check with your SSL certificate issuer on the steps you should take. Once replaced, you should revoke the old one in order to invalidate the material your potential attackers may have stolen.
Change your passwords
Not only you should change your passwords as a regular user. Also remember about all the passwords you use to manage the system, such as your server’s consoles (cPanel, phpMyAdmin, etc.), hosting services (AWS console, Rackspace, Dreamhost, OVH, Arsys, etc.) and code repositories (GitHub, BitBucket,etc.).
Remember also to change the passwords in even unaffected services that shared the same passphrase. By the way, you should never reuse passphrases. If you are in the process of changing all of them, make sure you use a different one for each site. This will save you a lot of trouble in the future.
If you use SSH keys, don’t worry, they were not affected by this bug, as the SSH protocol is handled by a different program (usually OpenSSH, not affected by this vulnerability).
Secure your clients
If you are programming a mobile application and not using the standard system tools for network connectivity, it is very probable that you used OpenSSL. OpenSSL clients in versions 1.0.1x were also vulnerable, so you should update the library and push an application update to your users as soon as possible.
Tell your users
Your users want to know their data is safe. No matter if you were vulnerable or not, it’s good that you communicate to them the steps you have taken, and remind them you appreciate their security. If there was the possibility that your servers were compromised, it’s a good advice to tell them to change passwords. Even though you might think this would be bad press for your service, users will be happy to know you take security seriously.
Seek for professional advice
We at Mobile Jazz are here to help. If you have a mobile application and are unsure on what you should do next, be it a technical question or concerns about the communication with your customers, don’t hesitate to contact us at firstname.lastname@example.org.