There is a common belief that mobile application security is fairly good (or at least adequate) as long as you stay within the boundaries of the official app store. Apple has a better reputation for policing its own garden, but Android apps are often assumed to be safe if they’re popular and from a familiar publisher. A new study conducted during the pandemic indicates that this is not at all a safe assumption.
The study finds common vulnerabilities in the open source components and libraries that many Android apps use, even thousands of the most popular. Other common problems include leaky code and unsafe permissions required for the app to operate, with researchers finding that about 1/3 of the apps on the Play Store having at least one of these vulnerabilities.
Mobile application security faltering as attacks increase due to pandemic
The report from Synopsys focuses on three major categories of mobile application security concern: known open source vulnerabilities, data leakage that can expose sensitive data within application code, and instances of apps requesting excessive or unsafe permissions.
As the “Peril in a Pandemic” title indicates, the study focused on apps that have been popular during the Covid-19 pandemic. It examined 3,335 apps that were among the most frequently downloaded from the Google Play Store during the first quarter of 2021. The Synopsys cybersecurity research center made use of a proprietary source code review tool that uses “binary analysis” to emulate the process of reverse engineering code that is not publicly available.
The analysis focuses specifically on 18 app categories that saw tremendous growth due to the pandemic conditions, things like business communications and home fitness apps. Some of these categories were also selected due to common assumptions of having higher-than-usual levels of mobile application security, such as banking and finance apps.
The report indicates that on average one can expect any given Android app that is not properly secured will have about 39 vulnerabilities. The study found over 3,000 unique vulnerabilities that resurfaced in different apps over 82,000 times.
Information leakage and excessive permissions
In addition to vulnerabilities being worryingly common, the report found thousands of incidents of “information leakage” in these apps. This consists of either sensitive information or personal data that an attacker examining the code might be able to make use of. One major example of this would be the ability to extract hidden API keys from code, which can make “man in the middle” attacks relatively trivial to execute once exposed (among other possibilities).
Passwords, tokens, IP addresses, email addresses and URLs can also sometimes be found sitting in code exposed to the world. The researchers found tens of thousands of email and IP addresses in the code of these apps along with 804 Google Cloud tokens, 27 Facebook tokens and 26 AWS keys.
Finally, there is the issue of excessive permissions. Mobile application security best practices dictate that apps not request any more permissions than is necessary, but violation of this is fairly common. The researchers report apps requesting scores of unnecessary permission, including some that requested 10 to 30 that Google classifies as having a “dangerous” protection level or a signature permission that third-party apps are not supposed to use.
The report found that 80% of the apps in the gaming, banking, budgeting and payment categories contained known vulnerabilities, and that finance apps in general tend to ask for the largest amount of permissions (an average of 18). Health & fitness and lifestyle apps were the most secure category of the bunch during the pandemic, with only 36% containing vulnerabilities.
Known vulnerabilities affecting mobile application security
In general, these are not new vulnerabilities that mobile application security professionals have yet to catch up with. 94% have publicly documented fixes, and 73% were disclosed more than two years ago. 44% are considered high risk. The vast majority of these vulnerabilities were found prior to the pandemic and never addressed.
Open source vulnerabilities are a particular mobile application security issue given that 98% of the apps surveyed make use of OSS components. On average, each app includes about 20. 63% of these apps contained an OSS component that had at least one documented security vulnerability. Given this and the very large amount of apps that have years-old issues with known fixes, it appears that developers very commonly fail to keep up with the latest versions and patches for these components.
Mobile application security is a particularly important issue for software development to address given an explosion in mobile device use during the pandemic. There has been a general increase of overall users and overall time spent on these devices (leading to an explosion in development of mobile apps), but these devices are also increasingly being connected to company networks given the growth of work-from-home arrangements.