Heartbleed and Games on Android

Last week there was a lot of excitement about a new vulnerability found in OpenSSL.  OpenSSL helps secure most of the encrypted communication on the Internet, so any vulnerability in it can potentially put a large amount of data at risk.

Heartbleed doesn’t allow an attacker to listen to your communications with a server directly, but it does allow an attacker to read data in the server’s memory.  Here is an overview of how the vulnerability works, thanks to xkcd (http://xkcd.com/1354/):

Is Heartbleed a problem for Android games?

In theory, this vulnerability is symmetrical.  If the client is using a vulnerable version of OpenSSL, the server can read memory directly from the client’s memory.  That sounds scary, but in reality there is little to be worried about.  Here’s why:

- The only servers that could potentially read your data are the servers your game already connects to.  These are typically the servers of companies like Google, Facebook, Twitter, and possibly the game developer.

- The only data that is accessible to an attacker is the data in your game itself, which is usually very low-value data outside of the game.  Android protects (or “sandboxes”) the memory used by apps so that they cannot read or write memory used by other apps on the system.  Any attempt by an attacker to read memory outside of your game would result in your game crashing, at worst.  No data outside your game would be lost.

What about games with advertisements or analytics?

In theory, a malicious advertiser could also steal your game’s data using the Heartbleed vulnerability, if your game talks to the advertiser’s server.  However, extracting data that would be interesting to an advertiser or analytics provider in an automated fashion is difficult enough that even malicious advertisers would be unlikely to bother for games.  And, as we described above, usually the data in your game is not very interesting outside of your game.

Additionally, advertisers make their money by having application developers integrate their advertising service, so if it was ever discovered that they were trying to steal application data, they would very quickly go out of business, since most application developers would be unwilling to work with such an advertiser or analytics provider.

But my game lets me log in to Facebook and Twitter, and lets me buy stuff on Google Play!  Can’t someone use Heartbleed against my game to steal login credentials or payment data?

Normally, all of these connections are made through different apps, such as Facebook, Twitter, Google Play, or your Android web browser.  As described above, the memory of those apps is inaccessible to your app on Android, so the data is not vulnerable to Heartbleed via your game.

But Bluebox’s Heartbleed Scanner App says my game may be vulnerable!

The Bluebox scanner app is unable to directly determine whether a particular app is vulnerable, because the apps are not running an OpenSSL server that listens for connections.  Instead, the Bluebox app just checks to see if your apps have any version of the OpenSSL library at all.  From https://bluebox.com/technical/heartbleed-bug-impacts-mobile-devices/:

“Additionally we scan all of the applications on your device and present you with ones that contain their own openssl library — you should follow up with those app developers to confirm they are using a safe version of OpenSSL.”

Any game that ships with OpenSSL will always show up as possibly vulnerable, regardless of whether the version of OpenSSL the app uses is actually vulnerable, because the Bluebox app has no way of telling if the app is vulnerable.

What is Apportable doing to protect my game data?

We have already implemented the patch to our OpenSSL library so that future releases of our games and our SDK will not be vulnerable to Heartbleed.  We will be releasing updated versions of the apps we ship on an ongoing basis.  

The most important thing you can do is check if the servers your games connect to have the vulnerability, since personal information you have shared with your game could be on those servers, and an attacker could try to steal data from those servers using Heartbleed.  McAffee has a Heartbleed scanner for public use: http://tif.mcafee.com/heartbleedtest.

If you want more information about Heartbleed, we would recommend starting with http://heartbleed.com/.  It contains a more detailed overview about how the bug works, and links to a lot of excellent technical information about the vulnerability.