Open-source reuse has left Android’s most-popular apps laced with critical vulnerabilities

Widespread use of open-source components perpetuates vulnerabilities, compromises updates, violates security protections – and guides cybercriminals

CISOs may want to revisit their mobile device policies in the wake of findings that fully a third of Android-based mobile apps contain security vulnerabilities – and 43 percent of these vulnerabilities are considered critical or high-risk

The research, conducted in early August by the American Consumer Institute Center for Citizen Research, used Insignary’s Clarity vulnerability scanner to analyse the 330 most popular Android apps and identified 1978 vulnerabilities across the tested cohort.

This worked out to an average of 19 potentially exploitable security flaws for each of the vulnerable apps – reflecting what the report noted is a lingering danger that has been exacerbated by the use and reuse of vulnerable open-source components.

“The use of open source code has grown across all industries in recent years, allowing companies to lower development costs, bring their products to market faster, and accelerate innovation,” the analysis noted.

“Despite these advantages, open source code has certain characteristics that make it particularly attractive to hackers…. These findings underline the need for more vigilance by app developers and consumers to prevent serious attacks.”

Those attractive characteristics include the breadth of targets in which any particular open-source component is used, providing a “target-rich environment” for hackers; generally poor patching and updating practices due to open source components’ ‘pull’ support model; a lack of organisational visibility into the open-source components used within an environment; and the convenient listing of possibly exploitable vulnerabilities in the universally-used CVE database – “providing a roadmap for exploiting code”.

Google’s fragmented mobile ecosystem has made patching complicated even when severe vulnerabilities are known, and the company has been working to improve the patching and updating process for its apps. Its latest effort in this space – an ongoing effort called Project Treble – will modularise the Android operating system architecture to resolve fragmentation issues that can make updating apps particularly difficult.

Studied apps included the top-10 apps within 33 different categories including banking, ticket purchasing, travel, sports, social-media and food-delivery apps.

Libraries and demonstration apps were the most exposed, with an average of 12.6 critical vulnerabilities per application.

This was followed by entertainment apps (11 critical vulnerabilities) and finance apps (7), with productivity (4.2), communication (4.2), and books and reference (3.6) also among the most exposed.

Some applications were retested after a few weeks, with Wells Fargo and Bank of America banking apps – which each had over 30 critical vulnerabilities – both fixing vulnerabilities such as CVE-2013-0749 by the time a new version of their apps was released.

Yet other providers weren’t so responsive, with ticketing firm Vivid Seats fixing none of the 19 identified vulnerabilities from one version to the next.

The findings echo a recent Symantec analysis of the top 100 Google Play and iTunes mobile apps, which found that mobile apps were voracious consumers of personally identifiable information (PII) – with 9 percent of Android apps and 12 percent of iOS apps demanding the user’s phone number, 44 percent/48 percent extracting the user’s email address.

Some 89 percent of Android apps (compared with 39 percent of iOS apps) requested permissions that were judged to be risky – including tracking location (requested by 45 percent of Android and 25 percent of iOS apps), recording audio (requested by 25 percent of Android and 9 percent of iOS apps), and reading the user’s SMS messages (requested by 15 percent of Android apps but unavailable on iOS).

While permissions requests reflect the intent of the mobile app author, inadvertent and lingering source code vulnerabilities reflect a failure of process and procedure that is, among other things, being addressed through the increasingly popular DevSecOps methodology.

The demonstrated persistence of vulnerabilities, the analysis warned, has implications for Internet of Things (IoT) security, automotive security, medical devices, and other mission-critical applications.

“The key challenge is with third-party components that are difficult to monitor,” the analysis notes. “With a surge of IoT applications and interconnected equipment, the presence of unsupported electronic devices will provide a growing target for hackers for years to come.”