[welder]

Yes, the vulnerable code is used by both client and server so any client using openssl is affected.

[biafra]

Which parts of Android really use OpenSSL to do TLS with this heartbeat feature enabled?

The browsers? All Apps running on Dalvik? All apps running on ART?