What does it mean that I'm affected, but not vulnerable?
Android devices ship with OpenSSL already built into the operating system. Different Android versions have different versions of OpenSSL. OpenSSL has a feature called Heartbeats where the Heartbleed vulnerability lives.
We will tell you if your phone is affected if it is running a version of Android that has the vulnerable OpenSSL.
However, in some Android versions the Heartbeats feature is turned off. If Heartbeats is turned off, the Heartbleed vulnerability is not active. Thus, your phone itself is not vulnerable, just affected.
What can I do about this?
If your phone is affected or your phone is both affected and vulnerable then we suggest you update your OS to the latest version of Android. However, if you don't have an update available, you unfortunately have to wait for your services to update their infrastructure before you can get the fix. We suggest getting in touch with those companies with which you have online accounts and asking if they've patched their systems and updated their certifications.
Can't Lookout fix it?
Unfortunately, it's not possible for Lookout -- or any other security company -- to go in and fix a vulnerable app or vulnerable service infrastructure. The responsibility lies with the company that developed the app or manages the service's infrastructure. That company has to patch their systems or applications to ensure they are using the fixed version of OpenSSL. Lookout simply doesn't have access to their code to suggest a fix for them. Instead we inform the user so that they know whether or not they should be concerned and that way empower them to take steps to protect themselves.
Does Heartbleed affect iOS?
Apple does not ship iOS with OpenSSL, so your iPhone is neither affected nor vulnerable. However, the apps you use on your iPhone might be.
We suggest you reach out to each app company asking if they have patched their systems and updated their certifications.
Should I change my passwords?
Only for companies you know have patched their systems with the secure version of OpenSSL. The Heartbleed bug allows attackers to pull out 64K of random data from the active memory of the affected system. If everyone starts pouring new passwords into these affected systems, attackers can pull out a goldmine of new passwords.
Wait until you've heard from a company that its systems have been patched. Then you're safe to change your password.
What does Google say about Heartbleed?
All versions of Android are immune to CVE-2014-0160 [Heartbleed] with the exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners.
Want to understand Heartbleed better? Check this out: http://www.xkcd.com/1354.