Binary scans find vulnerabilities in one in five Android apps
Research conducted by binary-level security and compliance testing company Insignary has found vulnerabilities in one in five Android apps.
Insignary tested 700 of the most popular Android apps on the Google Play Store for the research. Their Clarity system was put to work for the first time analysing APKs for known open source vulnerabilities.
Here are some of the key findings:
The binary scans indicate that the Android apps available on Google Play Store by the top software vendors contain versions of open source components with security vulnerabilities. Out of the 700 APK files scanned, 136 contain security vulnerabilities.
57% of the APK files with security vulnerabilities contain vulnerabilities that are ranked as “Severity High,” meaning that the deployed software updates remain vulnerable to potential security threats.
86 out of the 136 APK files with security vulnerabilities contain vulnerabilities associated with openssl.
58 out of the 136 APK files with security vulnerabilities contain vulnerabilities associated with ffmpeg and libpng. The prevalence of these open source components can be attributed to the abundance of images and videos in mobile applications.
Interestingly, three of the APK files scanned contain over five binaries with security vulnerabilities. The majority of APK files with vulnerabilities contain one-to-three binaries with security vulnerabilities.
70% out of the top 20 apps in the “Games” category contain security vulnerabilities.
30% out of the top 20 apps in the “Sports” category contain security vulnerabilities.
This study demonstrates that 1 in 5 APK files does not utilise the correct, most up-to-date versions of the OSS components available.
The use of outdated components are often a cause for security vulnerabilities. Insignary found new versions of the components which had vulnerabilities were often available to address the problems.
Developers and users can test APKs by visiting the free site TruthIsIntheBinary before installing.
What are your thoughts on the findings? Let us know in the comments.
- » Huawei sets out its post-Google plans with release of HMS Core 4.0
- » Starbucks’ API key found in public GitHub repository – reports
- » Torvalds calls it 'pure garbage' that Linux is to blame for Stadia port issues
- » Why privacy and integrity matters in a mainframe network
- » Ethereum 'officially' kicks off its One Million Devs initiative