According to cyber security firm Check Point Software Technologies, Android app makers are still not patching old security flaws, some of which date back to 2014. Of particular concern is that these security vulnerabilities exist in some of the most popular Android apps in the Google Play Store – including Facebook, Facebook Messenger, Instagram, WeChat, and Yahoo. This means that these security vulnerabilities may have been downloaded as many as several billion times by Android apps users around the world.
The source of the security flaws in Android apps
According to the research at Check Point, there is one key reason why these security vulnerabilities are so widespread in Android apps: app developers tend to copy code from vast code libraries so that they are not “reinventing the wheel” every time they build a new app. Security flaws lurking within these code libraries are then transferred to the Android apps using specific pieces of code from these libraries.
Complicating matters further is the fact that much of this code is coming from open source projects, where there is no clear owner of the code – and, thus, nobody to take responsibility for patching the code when security vulnerabilities are discovered. How security flaws are fixed in an open source project can vary widely. That would help to explain how known security flaws dating back to the period 2014-2016 are still showing up in thousands of Android apps. As Check Point noted in a mid-November Threat Intelligence Report: “This [situation] is cause by failure of app maintainers to incorporate security fixes made in open source sub-components into new versions of popular applications…”
As might be imagined, some of the Android apps developers called out by Check Point are disputing these claims. Facebook, for example, says it is not vulnerable to any of the issues highlighted by Check Point, and that its popular Instagram app already has a patch in place for Android devices, so it is not affected by the vulnerability. Google, too, says it is “investigating” the matter, and also ramping up its version of a bug bounty program to find and track down all known vulnerabilities in Android apps. The subtle nuance here is the following: just because an Android app integrated a bit of flawed code does not mean that the security vulnerability exists in the app itself. Companies and Android apps developers announce fixes and patches all the time, and many of them are designed to prevent exactly these types of security flaws.
There is a range of possible scenarios here for what the discovered Check Point security flaws mean. The best-case scenario is that app makers have already incorporated all of the known fixes and patches, and mobile device apps have no security vulnerabilities within them. As long as users continue to update their apps on a regular basis as each new vulnerability is discovered, they will be safe from future hacker threats. In theory, all of these security vulnerabilities were discovered over two years ago and subsequently patched, either directly (within the app itself) or indirectly (within the code library).
In a worst-case scenario, however, attackers could scan the Google Play store for known security vulnerabilities and go about exploiting them. For the purposes of its report, Check Point focused on three main types of security flaws that impact audio software, video streaming, and how media is handled within an app. In practical terms, suggests Check Point, this means hackers could steal and alter content on Facebook, extract geolocation data from Instagram, and read SMS messages in WeChat. Thus, any Android device could become a tool for hackers to exploit these security flaws years after the vulnerability had been reported.
Prior to announcing these security flaws publicly, Check Point brought these security flaws to the attention of the app developers and Google. This is customary operating procedure within the software and tech world, where developers are given some advance notice in order to make the requisite fixes to their version of the code.
But it’s not just app makers who must take on responsibility here, say security experts. Mobile app users have a responsibility to make sure that they are regularly updating their apps to the latest version. In general, this is just common sense. However, it might also create a false sense of security since updating an app does not guarantee that users are patching for critical security vulnerabilities. If there is one big takeaway from the Check Point report, it is this.
And, finally, Google bears some responsibility as well for ensuring that Android apps security teams have properly vetted all Android apps appearing within the Google Play Store. In one positive development, Google has said that it will beef up is Google Play Security Reward Program to enlist as many people as possible in tracking down, reporting and fixing these security flaws in Android apps.
The problem with code libraries
All of these steps to fix the problem, however, must contend with a bigger issue: in the modern app world, code libraries have become a source of potential risk. Apps using these native libraries are everywhere. Most consumers assume that when they download a Facebook or Alibaba app that all of the code used to build these apps has been created in-house. After all, aren’t these multi-billion-dollar companies with vast teams of app developers and software specialists? But that ignores the fact that code libraries make it very easy to create new apps by building on top of what has already been created earlier. This is especially true for audio, video and media capabilities of apps, all of which were singled out by Check Point in its report.
In the tech world, as in real life, the big question becomes whether you treat the symptom or the underlying condition responsible for the symptoms. Making a few changes to the way the Google Play store works, or requiring app makers for app stores to release security patches on a regular basis can be thought of as treating the symptoms. If you want to remove security vulnerabilities entirely, then you need to start at the source, which can be thought of as the open source projects creating code for massive code libraries. After all, as the security researchers at Check Point noted, if it had conducted this report several months earlier, it would have probably found an entirely different set of security flaws that had not been patched. Security flaws are moving targets, and they should be on the radar screens of Android app developers everywhere.