Use of unpatched open source code in popular Android apps is causing significant security vulnerabilities, researchers said.
By using Insignary’s Clarity binary code scanner to examine the ten most popular applications in the 33 main app categories in Google Play Store, the non-profit American Consumer Institute Center for Citizen Research (ACI), found 105 out of 330 contained known (CVE-numbered) vulnerabilities in their open source components.
The vulnerabilities can end up exploited to compromise consumer and enterprise devices, to perform data theft, identity theft, fraud or corporate espionage.
“The use of open source code has grown across all industries in recent years, allowing companies to lower development costs, bring their products to market faster, and accelerate innovation,” the researchers said. “Despite these advantages, open source code has certain characteristics that make it particularly attractive to hackers.
“Critical vulnerabilities were found in many common applications, including some of the most popular banking, event ticket purchasing and travel apps,” researchers said in a post.
“For example, Wells Fargo and Bank of America mobile apps each contained over 30 critical vulnerabilities. Other unpatched apps with critical vulnerabilities, according to Clarity’s scan, included Sephora, Vivid Seats, TripAdvisor and a wide array of applications that extensively use personal or financial information,” they said.
The researchers retested some of the apps a few weeks after the initial scan.
As noted before, the first sweep revealed the Wells Fargo and Bank of America apps contained over 30 critical vulnerabilities, including CVE-2013- 0749, a vulnerability that could allow attackers remote access to devices that could crash the application or lead to denial of service attacks or memory corruption. The second scan revealed that all the vulnerabilities were patched.
“On the other hand … one popular app used as a platform to buy and sell event tickets, Vivid Seats, had the highest risk in its category, including 19 critical vulnerabilities. After retesting the newest software, the Clarity scans showed the Vivid Seats software was still suffering from the same vulnerabilities,” the researchers said.
The researchers believe that Google App Store apps are a suitable proxy for all enterprise, consumer and embedded software that utilizes open source components and that application developers need to invest the resources and institute processes for finding known security vulnerabilities in their code and patching them.