Let’s start with the bad news. According to the Google Online Security Blog App Engine was affected, but don’t panic.
So assuming nobody knew about this bug before March 21st no further steps are necessary. Since your security should not be based on assumptions the best way to ensure a secure service is to follow this checklist.
- Re-issue new SSL certificates for your domains (find a guide here)
- Change your passwords and revoke existing sessions
- Revoke and recreate all access tokens you are using
There is more good news for your. App Engine supports Forward Secrecy since July 2013. This feature mitigates attacks by making it impossible to use a stolen encryption key to read old encrypted communication.
By using App Engine you trust Google to host your service and manage situation like Heartbleed even better than you could. I believe Google has done a great job here and I’m convinced they will continue to do so.