About 20 percent of the most popular Android Apps available through the Google Play Store contain open source components with known security vulnerabilities that can be exploited by hackers, according to a report Insignary will release next week.
The findings are the result of the company’s recent comprehensive binary code scan of the 700 most popular Android Apps on the Google Play Store. Insignary is a binary-level open source software security and compliance firm.
It leveraged its Insignary Clarity fingerprint-based binary scanning technology to analyze Android Package Kit (APK) files for known open source security vulnerabilities, and found them in one out of every five Android apps. Some were serious code flaws.
“With today’s software and development procurement model, it has been almost impossible to know what open source components reside in software. Our tool is the first to be able to catalog all open source components in binary format — the software consumers receive and use — and report which components are known to harbor known security vulnerabilities,” said Tae-Jin (TJ) Kang, CEO of Insignary.
The company’s binary scanning tools also work on enterprise software, but the large library of open source Android applications provided a better opportunity to demonstrate the number of known security vulnerabilities that lurk in today’s code, he said.
“Our goal is not to just highlight the issues. We wanted to see how prevalent these issues are,” Kang told LinuxInsider.
Twenty percent of the Android apps scanned had open source components known to contain security vulnerabilities.
Given that consumers and businesses rely as heavily as they do on their smartphones, the results surprised researchers, said Kang. The lack of the most basic security precautions does not speak well of Android app developers.
“Software security and data privacy are increasingly at risk due to deficiencies in the development and procurement of software and apps, from the growing sophistication of hackers and their methods,” noted Steve Pociask, president of the American Consumer Institute’s Center for Citizen Research, who was briefed on the report.
The study’s landmark findings point to the dangers inherent in poorly vetted open source Android apps from app vendors, he said, adding that Insignary’s upfront identification of hidden vulnerabilities is a key step to stemming those problems and protecting consumer information.
“It is clear that steps need to be taken to improve the quality of security and data privacy in Android apps and other software that leverage open source software components prior to reaching businesses and consumers,” Pociask told LinuxInsider.
At a minimum, developers need to deploy updated software versions without known security vulnerabilities, said Insignary’s Kang.
Insignary’s research and development team scanned the APK files during the first week in April. The team selected the 20 most popular apps in each of the 35 Android app categories, including game, productivity, social, entertainment and education, among others.
There were significant flaws in programming code in apps offered at the Google Play Store by the top software vendors, the binary scans indicated. Of the 700 APK files scanned, 136 contained security vulnerabilities.
- 57 percent of the APK files with security vulnerabilities contained vulnerabilities that were ranked as “Severity High.” This rating means that the deployed software updates remain vulnerable to potential security threats.
- 86 of the 136 APK files with security vulnerabilities contained vulnerabilities associated with openssl.
- 58 of the 136 APK files with security vulnerabilities contained vulnerabilities associated with ffmpeg and libpng. The prevalence of those open source components can be attributed to the abundance of images and videos in mobile applications.
Interestingly, three of the APK files scanned contained more than five binaries with security vulnerabilities. The majority of APK files with vulnerabilities contained one-to-three binaries with security vulnerabilities.
- 70 percent out of the top 20 apps in the Game category contain security vulnerabilities.
- 30 percent out of the top 20 apps in the Sports category contain security vulnerabilities.
One in five APK files did not utilize the correct, most up-to-date versions of the open source software components available, the researchers concluded.
Not many tools can sort through the binary level to find vulnerabilities. Most of the existing tools look for patterns of code that already are well known security problems.
“Static code analyzer tools cannot detect the issues that we found,” noted Kang.
Most companies use such tools to find issues in proprietary code. Their proprietary programs are added on top of open source components, he pointed out.
“Software developers pretty much assume that the open source code they use is secure because it is used by so many people for many years,” Kang said. “We found that they only detect less than 10 percent of the vulnerabilities that are already known.”
The open source community has created new versions of components to address all of the previously listed security vulnerabilities. Software developers and vendors can employ these versions to prevent data breaches and subsequent litigation that could cause significant corporate losses, according to the report.
During discussions with various vendors, Insignary encountered a few developers who expressed a preference for manually applying patches, line by line, the report noted.
That was the same reaction developers expressed months earlier when Insignary reported that WiFi routers were riddled with security holes.
Though an ad hoc approach of manually patching line-by-line to address vulnerabilities may be used by some, it appears to be the exception, rather than the rule, Insignary researchers concluded.
While this method may work, Android App developers still should scan their binaries to ensure that they catch and address all known security vulnerabilities, the researchers advised.
There are two possibilities for the failure to use the correct component version by Android Apps, the report suggests. One is that devs do not consider these vulnerabilities worth addressing. The other is that they do not use a system that accurately finds and reports open source components known to contain known security vulnerabilities.
Overall, the Play Store probably is safer today than it ever has been, observed Charles King, principal analyst at Pund-IT. Google certainly takes app security seriously, and the company’s most recent report on Android security details the measures the company has taken to ratchet up security quality.
“That said, there are and will probably always be chinks in Android’s armor, mainly due to many app developers’ and device makers’ sketchy efforts to implement and deliver patches,” he told LinuxInsider.
That is unlikely to change, so projects like Insignary’s can play a valuable role in keeping Android device owners informed. It would be interesting to know whether Insignary can provide evidence that the vulnerabilities it discovered have led to significant numbers of Android devices being exploited, King said.
“The announcement appears to be timed to take advantage of the RSA Conference this week, so making controversial claims about a major player like Google could help Insignary stand out from the crowd,” he pointed out.
Insignary was unknown less than a year ago. It received US$2M in Series A funding earlier this year, meaning it is a very early startup stage organization with just a few employees, King noted.
“Its binary code scanning tech may be great, but it’s also up against several other companies that have been around longer, including Veracode, Synopsys and WhiteHat Security,” he said. “I have no idea how Insignary’s solution stacks up against those and others.”
A Starting Point
Google’s Play Store is much better than other repositories in vetting software code, Insignary’s Kang acknowledged.
However, in some countries — China, for example — the Google Play Store is not permitted, and other software outlets exist in other regions as competitors, he said.
Insignary’s report does not focus on the actual existence of breaches from the Android vulnerabilities. The goal is to make Android users and software developers aware of the situation.
It makes sense to realize that hackers are going to go after known issues rather than work on finding yet-undisclosed vulnerabilities, said Kang. Steps can be taken to deal with the vulnerabilities.
Insignary’s Clarity scanner is a security solution that enables proactive scanning of software binaries for known, preventable security vulnerabilities. It also identifies license compliance issues.
The Clarity tool uses unique fingerprint-based technology that works on the binary-level without the need for source code or reverse engineering. This makes it easy for software developers, value-added resellers, systems integrators and managed service providers overseeing software deployments to take proper, preventive action before software delivery, according to Insignary.
Insignary’s Clarity is unique in that it scans for “fingerprints” from binary code to examine and then compare against the fingerprints collected from open source components in numerous open source repositories, the company said. This process differs from checksum or hash-based binary scanners.
Clarity does not need to keep separate databases of checksum or hash information for each CPU architecture. This significantly increases Clarity’s flexibility and accuracy in comparison to legacy binary scanners, according to the company.
Once a component and its version are identified through Clarity’s fingerprint-based matching, the scanner software compares them to more than 180,000 known security vulnerabilities cataloged in numerous databases.
Clarity also provides “fuzzy matching” of binary code and supports LDAP, RESTful API, and automation servers like Jenkins.
Putting Safety First
Android users can visit Insignary’s free scanning site to test for themselves if an APK file contains potential software vulnerabilities before they install it on their devices.
Insignary did not test for APK file vulnerabilities on other Android software distribution sites. However, other outlets could pose even greater risks for dangerous code, according to King.
“If anything, many — if not most — other outlets have fewer safety and security procedures in place than the Play Store, he said, “so it is particularly important for Android users to take care when downloading apps from those sources.”
Staying vigilant about system and app updates and patches is something anyone can do, King added, and third-party apps can help manage the process.