An information leakage can result in grave consequences. Consider the recent SolarWinds supply chain attack which transpired from the exposure of a critical, and inanely simple, internal password (solarwinds123). In this way, making the recent findings by the Synopsys Cybersecurity Research Center (CyRC) especially troubling.
The analysis of over 3,000 popular Android mobile apps showed information leakage to be commonplace. Passwords, user credentials, email addresses and tokens are among the information found. With this information, malicious actors can access someone’s servers, systems or sensitive data and plant malware or even access banking apps.
In addition to this, many of these apps demand excessive use of mobile permissions. Indeed, CyRC found an average of 4.5 sensitive permissions per application. Tools for teachers is one category that posed a significant concern. In fact, one application with over a million downloads was found to require 11 permissions that Google classifies as “Protection Level: Dangerous”.
The report also found that the majority of apps (63%) contained open source components with known security vulnerabilities, with an average of 39 vulnerabilities per vulnerable app. Nearly half of these (44%) have been identified as high risk because they either have been actively exploited or are associated with documented proof-of-concept (PoC) exploits. Just under five percent of the vulnerabilities are associated with an exploit or PoC exploit and have no fix available. One percent of the vulnerabilities are classified as remote code execution (RCE) vulnerabilities—which is recognized by many as the most severe class of vulnerability. 0.64% are classified as RCE vulnerabilities and are associated with an active exploit or PoC exploit.
Top free games, top-grossing games, banking apps, budgeting apps, payment apps and top paid games ranked in the top 6 most vulnerable apps; which is highly concerning considering their immense increase in popularity during the pandemic.
Remarkably, however, 94% of the vulnerabilities detected have publicly documented fixes, meaning there are security patches or newer, more secure versions of the open-source component available. Furthermore, 73% of the 3,137 unique vulnerabilities detected were first disclosed to the public more than two years ago, indicating that app developers simply aren’t considering the security of the components used to build their apps.
“Like any other software, mobile apps are not immune to security weaknesses and vulnerabilities that can put consumers and businesses at risk,” shared Jason Schmitt, general manager of the Synopsys Software Integrity Group. “Today, mobile app security is especially important when you consider how the pandemic has forced many of us—including children, students, and large portions of the workforce—to adapt to increasingly mobile-dependent, remote lifestyles. Against the backdrop of these changes, this report underscores the critical need for the mobile app ecosystem to collectively raise the bar for developing and maintaining secure software.”
To learn more, download the report, Peril in a Pandemic: The State of Mobile Application Security Testing.