Several high profile Android apps still have vulnerabilities discovered years ago

nanoguy

TS Addict
Staff member

Most people use smartphones without worrying about the security of essential apps we use in our daily lives. Google routinely removes apps that are found to contain malware or adware, as well as apps that are crafted specifically to dupe you into paying for subscriptions. And most of us would assume that updating our apps and mobile operating system to the latest revisions means that any potential for security vulnerabilities are reduced to a minimum.

It turns out that isn't the case, even for big name apps. According to a report from cybersecurity firm Check Point, there are tens of vulnerabilities that are found every day, some of them in the apps themselves and others in external shared code libraries that are used by those apps to enable specific features. Updating them to keep up with the most current security threats is a monumental task, so app developers have to prioritize which ones get fixed first.

The researchers decided to take a look at how many apps in the Google Play Store are currently still using vulnerable libraries. They hunted specifically for three vulnerabilities that are rated critical and were disclosed in 2014, 2015, and 2016. This won't surprise the infosec community, but the resulting list includes over 800 popular Android apps and games that have been downloaded a total of 5 billion times.

Among the affected apps are some that people use very frequently, like Facebook, WeChat, Messenger, Instagram, AliExpress, TuneIn and SHAREit. The shared libraries have all been updated since the vulnerabilities were discovered, but new versions of those popular apps still use the outdated libraries.

Facebook says that's not a problem because of the way its apps are coded, those vulnerabilities are useless for potential attackers. Google is currently investigating and trying its best to push app developers to work on fixes. Then again, the company wanted to flood its app store with apps with permissive policies, which ultimately led to a situation where new apps aren't vetted properly and popular apps don't get fixed unless there is public pressure to do so.

Check Point researchers note that while the apps might not use those old libraries that often, that still doesn't count as good security. The vulnerabilities selected for this analysis are likely not the only ones, and they leave an open door for determined attackers, who are more likely to try and exploit a well-known vulnerability as opposed to the latest techniques.

This may not be as big of an issue as apps that imitate the look and feel of popular apps to siphon your personal data. And app developers may dismiss the new findings as insignificant. But you only need to look at Google's bug bounty programs to see why keeping track of all external components of mobile apps is worth it.

This year over 1,000 Android apps were found to harvest your personal data even after you deny them any relevant permissions after installing them. Interestingly enough, the apps themselves were relatively secure, but they used third-party libraries that were littered with code that could be used for data collection.

Permalink to story.

 

Uncle Al

TS Evangelist
Here's a compelling reason that Google should be broken up into individually owned elements starting with their App's. The influence of making more $$ is the main force behind their lack of action or commitment and is a rather easy one for the government to address. It does no good for the government to worry about some area's and leave the others unaddressed and in the long run WE are all the victims ....
 

Devonian

TS Rookie
Phishing hook apps on Google's play store are quiet prolific and very specific in opening back doors that tend to stay open even after the apps are uninstalled.
Investing into antivirus software is as important as buying a glass screen protector and case.
 

Latest posts