Close to two-thirds or sizeable 63% of popular mobile apps contained open source components with known security vulnerabilities, a recent study by Synopsys Cyber security research centre (CyRC), entitled Peril in a Pandemic: The State of Mobile Application Security Testing, found.
This highlights pervasive security concerns including sensitive data exposed in the application code and the use of excessive mobile device permissions.
“Like any other software, mobile apps are not immune to security weaknesses and vulnerabilities that can put consumers and businesses at risk,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group.
“Today, mobile app security is especially important when you consider how the pandemic has forced many of us — including children, students, and large portions of the workforce — to adapt to increasingly mobile-dependent, remote lifestyles. Against the backdrop of these changes, this report underscores the critical need for the mobile app ecosystem to collectively raise the bar for developing and maintaining secure software.”
How safe are mobile apps?
Schmitt made several observations from the research:
- Open source vulnerabilities in mobile apps are pervasive.
Out of the 3,335 apps analysed, ranked among the most downloaded or top grossing on the Google Play Store. 63% contained open source components with at least one known security vulnerability. Vulnerable apps contained an average of 39 vulnerabilities. In total, CyRC identified more than 3,000 unique vulnerabilities, and they appeared more than 82,000 times.
- Known vulnerabilities are a solvable problem.
While the number of vulnerabilities uncovered in this research is daunting, it is perhaps more surprising that 94% of the vulnerabilities detected have publicly documented fixes, meaning there are security patches or newer, more secure versions of the open source component available.
Furthermore, 73% of the vulnerabilities detected were first disclosed to the public more than two years ago, indicating that app developers simply aren’t considering the security of the components used to build their apps.
- In-depth analysis of high-risk vulnerabilities.
Almost half (43%) of the vulnerabilities are considered by CyRC to be high risk because they either have been actively exploited or are associated with documented proof-of-concept (PoC) exploits. Just under five percent of the vulnerabilities are associated with an exploit or PoC exploit and have no fix available.
- Information leakage.
When developers unintentionally expose sensitive or personal data in the source code or configuration files of an application, it can potentially be used by malicious attackers to mount subsequent attacks.
CyRC found tens of thousands of instances of information leakage, where potentially sensitive information was exposed, ranging from private keys and tokens to email and IP addresses.
Excessive use of mobile device permissions. Mobile apps often require access to certain features or data from your mobile device to function effectively. However, some apps recklessly or surreptitiously require far more access than necessary. The mobile apps analysed by CyRC require an average of 18 device permissions.
That includes an average of 4.5 sensitive permissions, or those that require the most access to personal data, and an average of 3 permissions that Google classifies as “not intended for third-party use.”
Comparing app categories. At least 80% of the apps in six of the 18 categories contained known vulnerabilities, including games, banking, budgeting, and payment apps. The lifestyle and health & fitness categories tied for the lowest percentage of vulnerable apps at 36%.
The banking, payment, and budgeting categories also ranked in the top three for highest average number of mobile device permissions required, well above the overall average of 18. Games, tools for teachers, education, and lifestyle apps required the lowest average number of permissions.
The study was held across 3,335 of most popular Android mobile apps on the Google Play Store in the first quarter on 2021, and focused on 18 popular mobile app categories, many of which have seen explosive growth during the pandemic, including business, education, and health & fitness.
