Let’s start with the bad news. According to the Google Online Security Blog App Engine was affected, but don’t panic.
A patch has been written and I assume applied to the Google services on March 21st, long before the vulnerability became public. That’s pretty good news.
So assuming nobody knew about this bug before March 21st no further steps are necessary. Since your security should not be based on assumptions the best way to ensure a secure service is to follow this checklist.
- Re-issue new SSL certificates for your domains (find a guide here)
- Change your passwords and revoke existing sessions
- Revoke and recreate all access tokens you are using
I also encourage you to setup 2-factor authentication wherever it is possible. A lot more services than I expected already support it.
There is more good news for your. App Engine supports Forward Secrecy since July 2013. This feature mitigates attacks by making it impossible to use a stolen encryption key to read old encrypted communication.
Conclusion
By using App Engine you trust Google to host your service and manage situation like Heartbleed even better than you could. I believe Google has done a great job here and I’m convinced they will continue to do so.
