Cutting corners: Research shows that trusting Google to be the best gatekeeper for the Play Store isn’t the best idea. The company is putting a lot of effort into finding apps that are malicious or contain severe security vulnerabilities, but usually after letting them into the Store with as little vetting as possible. Experts are calling attention to a new point of attack that can even be used against some of the most popular apps.
Most people use smartphones without worrying about the security of essential apps we use in our daily lives. Google routinely removes apps that are found to contain malware or adware, as well as apps that are crafted specifically to dupe you into paying for subscriptions. And most of us would assume that updating our apps and mobile operating system to the latest revisions means that any potential for security vulnerabilities are reduced to a minimum.
It turns out that isn’t the case, even for big name apps. According to a report from cybersecurity firm Check Point, there are tens of vulnerabilities that are found every day, some of them in the apps themselves and others in external shared code libraries that are used by those apps to enable specific features. Updating them to keep up with the most current security threats is a monumental task, so app developers have to prioritize which ones get fixed first.
The researchers decided to take a look at how many apps in the Google Play Store are currently still using vulnerable libraries. They hunted specifically for three vulnerabilities that are rated critical and were disclosed in 2014, 2015, and 2016. This won’t surprise the infosec community, but the resulting list includes over 800 popular Android apps and games that have been downloaded a total of 5 billion times.
Among the affected apps are some that people use very frequently, like Facebook, WeChat, Messenger, Instagram, AliExpress, TuneIn and SHAREit. The shared libraries have all been updated since the vulnerabilities were discovered, but new versions of those popular apps still use the outdated libraries.
Facebook says that’s not a problem because of the way its apps are coded, those vulnerabilities are useless for potential attackers. Google is currently investigating and trying its best to push app developers to work on fixes. Then again, the company wanted to flood its app store with apps with permissive policies, which ultimately led to a situation where new apps aren’t vetted properly and popular apps don’t get fixed unless there is public pressure to do so.
Check Point researchers note that while the apps might not use those old libraries that often, that still doesn’t count as good security. The vulnerabilities selected for this analysis are likely not the only ones, and they leave an open door for determined attackers, who are more likely to try and exploit a well-known vulnerability as opposed to the latest techniques.
This may not be as big of an issue as apps that imitate the look and feel of popular apps to siphon your personal data. And app developers may dismiss the new findings as insignificant. But you only need to look at Google’s bug bounty programs to see why keeping track of all external components of mobile apps is worth it.
This year over 1,000 Android apps were found to harvest your personal data even after you deny them any relevant permissions after installing them. Interestingly enough, the apps themselves were relatively secure, but they used third-party libraries that were littered with code that could be used for data collection.