By Tae Jin “TJ” Kang, CEO, Insignary, Inc.
Study Finds One in Five of 700 Most Popular Android Apps Have Numerous Known Open Source Security Vulnerabilities
IDC estimates that Google’s Android operating system has an 85% market share, while Apple’s ios declined by almost four percent. Paid apps, subscriptions and in-app purchases through Google Play Store are estimated to have reached $20.1 billion in 2017, a 34% increase. While Apple’s App Store saw a slightly larger increase in growth and had almost double Google Play’s revenue, it is Android apps that are used by the majority of mobile device users.
There has been a great deal of speculation regarding the quality of apps developed and sold for both the ios and Android platforms. More than 90% of the software developed and in use today contains open source components. This is interesting because the number of known security vulnerabilities reported through the Common Vulnerability Exposures (CVE) database shows that 2017 was a record year, with more than 14,700 reported. We should also note that reported vulnerabilities for 2018, are on a pace to beat last year’s milestone.
Known security vulnerabilities are low hanging fruit for hackers
Whether software code is proprietary or open source, it harbors security vulnerabilities. Because of its transparency, open source code tends to be better engineered than a comparable piece of proprietary code. And thanks to its flexibility, the open source code is extensively used. This means that a security vulnerability in a piece of the open source code is likely to exist across a multitude of applications and platforms. Consequently, open source software vulnerabilities become a “low hanging fruit” for hackers to target and attack.
While updated versions of open source components are available without security vulnerabilities, in-house software development teams and third-party developers are hard-pressed to effectively track all open source software components in their internally developed and externally sourced code.
Binaries do not lie
In order to determine how “secure” mobile apps are, our R&D team sought a proxy. It was determined that the binary code – the exact software downloaded and installed on Android smartphones and tablets – would be examined for open source software components known to the harbor is known security vulnerabilities. The binaries were chosen because they are the actual code being “shipped” and while software vendors and third-party developers might have an idea about what open source code elements are in their source code, a binary file does not lie.
About the study
During the first week in April of 2018, our research and development team scanned the APK files of the 700 most popular apps by downloads on the Google Play Store. The team selected the 20 most popular apps in each of the 35 main Android app categories, including “Games,” “Productivity,” “Social,” “Entertainment” and “Education,” among others.
Following are some of the key findings:
- The binary scans indicate that the Android apps available on Google Play Store by the top software vendors contain versions of open source components that are known to contain known security vulnerabilities. Out of the 700 APK files scanned, 136 contain open source software components known to the harbor is known security vulnerabilities.
- 57% of the APK files with reported security vulnerabilities contain vulnerabilities that are ranked as “Severity High,” meaning that the deployed software updates remain vulnerable to potential security threats.
- 86 out of the 136 APK files with security vulnerabilities contain vulnerabilities associated with openssl.
- 58 out of the 136 APK files with security vulnerabilities contain vulnerabilities associated with ffmpeg and libpng. The prevalence of these open source components can be attributed to the abundance of images and videos in mobile applications.
- Interestingly, three of the APK files scanned contain over five binaries with security vulnerabilities. The majority of APK files with vulnerabilities contain one-to-three binaries with security vulnerabilities.
- 70% out of the top 20 apps in the “Games” category contain security vulnerabilities.
- 30% out of the top 20 apps in the “Sports” category contain security vulnerabilities.
- This study demonstrates that 1 in 5 APK files does not utilize the correct, most up-to-date versions of the OSS components available.
In the majority of cases, the open source community has created new versions of the components to address nearly all discovered security vulnerabilities. Software developers and vendors can employ these versions to prevent data breaches and subsequent litigations that can cause significant corporate losses. Interestingly, during discussions with various vendors, Insignary encountered a few developers who expressed a preference in manually applying patches, line by line.
Though this ad hoc approach to addressing vulnerabilities may be used by others, it appears to be the exception, rather than the rule. Additionally, while this method may work, it is still recommended that Android app developers scan their binaries to ensure that they catch and address all known security vulnerabilities.
Our findings suggest two possibilities for the failure to use the correct component version by Android app developers. Either they are not aware of the open source software vulnerability issues, or they do not have a process or a tool that accurately finds and reports open source components that are known to contain security vulnerabilities.
The market for smartphone and tablet apps appears to be on a steadfast trajectory. However, if apps vendors are unable to employ the latest, vulnerability-free OSS versions in their firmware, the possibility of data theft and business disruption could be significantly debilitating. We encourage all apps vendors to redouble their efforts to patch known security vulnerabilities. We encourage the app stores to make stronger efforts to ensure that the apps they sell are less hacker-friendly. Finally, we suggest consumers seek to leverage sites or services like – like no-cost TruthIsIntheBinary.com – that allow them to test the apps they are considering or purchasing, for components that are known to have known security vulnerabilities, prior to installing them on their mobile devices.
About the Author
Tae Jin “TJ” Kang is a technology industry executive and entrepreneur. He is the president and CEO of Insignary. In addition to founding a number of successful technology startups, Mr. Kang has held senior management positions with global technology leaders that include Korea Telecom and Samsung Electronics, among others.
Mr. Kang can be reached online at firstname.lastname@example.org and at our company website www.insignary.com