Research Shows Glaring Mobile App Security Issues
The COVID-19 pandemic has driven the world online in remarkable ways, forever changing the way we work, learn, and interact. The increased reliance on mobile applications is starkly apparent; mobile app usage grew 40% year-over-year in the second quarter of 2020, according to App Annie. In the recently released “Peril in a Pandemic: The State of Mobile Application Security” report, the Synopsys Cybersecurity Research Center’s analysis sheds light on the potential security concerns that both application consumers and application developers need to be aware of.
The report analyzed over 3,000 of the top applications in the Google Play store and revealed some concerning results across three core areas of security risk: open source security vulnerabilities, instances of potential sensitive information leakage left behind in the application code and excessive use of mobile device permissions.
Open Source Security Vulnerabilities
Open source forms the foundation of nearly every software application in use today, and the same is true for mobile applications. Ninety-eight percent of the 3,335 applications analyzed contained open source components. And, while the presence of open source itself is not a concern, the fact that 63% of the applications contained known security vulnerabilities, with an average of 39 vulnerabilities per app, is.
The pervasiveness of open source can mean that vulnerability remediation becomes an overwhelming task for development teams. However, 44% of the vulnerabilities found are considered to be high risk due to the availability of an exploit. These vulnerabilities need to be prioritized and remediated. The good news? Ninety-four percent have publicly documented fixes.
Given that 73% of the vulnerabilities found were initially discovered more than two years ago, it stands to reason that app developers either aren’t aware that these vulnerabilities exist in their applications, or that they just don’t have the resources or information required to fix them. Considering these applications have been downloaded millions of times and contain the data of millions of consumers who use them, the security risk in these applications is quite high. An open source vulnerability like that in Apache Struts, which was the root cause of the breach at Equifax in 2017 in which 147 million customers had their personal information exposed, can wreak havoc for companies and consumers alike.
Potential Instances of Information Leakage
Information leakage occurs when developers accidentally leave personal or sensitive data in the source code or configuration files of an application. In the wrong hands, that information can be used maliciously. In a recent real-world example of information leakage, we learned that the careless information security practices of a former intern at SolarWinds exposed a critical internal password on GitHub. The events that followed resulted in a supply chain attack that exposed over 18,000 customers of SolarWinds, including the Department of Homeland Security, to potential malware, broadened access and spying.
The study also found thousands of pieces of sensitive information that were left behind in apps, including 2,224 passwords, tokens or keys, 10,863 email addresses and 392,795 IP addresses and URLs. While each can be damaging to a company on their own, taken together they can be the exact pieces of information an attacker needs to gain access. Tokens, keys and passwords used in combination with email addresses (often also used as usernames) and IP addresses for internal systems, can provide access to servers, systems or other sensitive properties.
Excessive Mobile Permissions
Consumers are relatively comfortable with providing applications access, particularly when those applications have a specific use for the permission. For example, it’s easy to understand why a mobile banking application wants access to your camera – if you want to enable mobile check deposits, allowing that access seems reasonable. However, not every use case can be easily explained. And, if attacked, some of these permissions can go from being quite innocent to devastating for consumers.
Google has a few ways of characterizing mobile permissions for application developers. At the highest level, we analyzed permissions across three categories: normal permissions, sensitive permissions and permissions not for use by third-party applications. On average, the applications analyzed required 18 permissions per application. Fifty-six percent of the permissions we found were considered normal; however, 26% were considered sensitive and 18% not for use by third-party applications (in other words, really only meant to be used by the provider of the operating system). And, in a few extreme cases, some mobile applications required more than 50 permissions!
In some cases, these findings likely point to applications that were either poorly developed or the developers did not fully understand Android permissions. In one example, a health and fitness application with over 5 million downloads, the application requested permission to run at the root user level, giving it access to the entire phone. Not only is this an unnecessary level of access, but it could have severe consequences for consumers if permission was granted and misused.
While there were egregious examples found in some very popular applications – like an educational app requesting precise location information for its likely young user base – the overall data shows that applications with problematic permissions exist in every category. The bottom line: users must understand what level of access they are providing an application to ensure the security of their data. And, application developers need to understand the permissions they’re requesting, because ultimately, they are responsible for the ramifications of a potential breach.
Actionable Steps for Application Developers
Undoubtedly this immersion into the COVID-19 state of mobile application security has sparked both concerns and questions. As a developer, you might have questions about how to reinforce your own application security. A few core principles can help app developers close some security gaps and protect themselves from the devastation of a potential breach.
Know What’s in Your Code
Developers are under increasing pressure to move quickly and focus on core innovation. Open source is a great and necessary foundation for software today, given it can provide developers the functional elements they need and enable them to focus on creating innovative features. However, without an accurate inventory of open source components in an application, developers won’t know if and when a potential vulnerability could impact their application. To fully reap the benefits of open source software while staying on top of potential security risk, teams should use a software composition analysis (SCA) tool that provides:
Diverse information sources. Teams must have reliable and diverse sources of vulnerability data that are automatically pushed to them.
Identification of vulnerable components. Pinpointing vulnerable components depends first on identifying and inventorying all open source components in an app and continuously monitoring them for vulnerabilities.
Informed prioritization. Armed with an inventory and a list of vulnerabilities, teams should leverage additional information about the vulnerabilities such as their severity, reachability and exploitability to prioritize what to fix first.
Complete patch information. Once the team understands what to fix, they need clear and concise patch information to quickly apply the fix.
In addition to getting a handle on open source, ensuring developers have easy, ongoing access to security training can help in ensuring mobile permissions are used appropriately and critical sensitive data isn’t left behind in the code.
Ideally, in addition to training, inserting one final check on a compiled application can provide a final assurance that the application is free of security concerns. Binary analysis tools that can analyze binary code will uncover any lingering open source security vulnerabilities, key pieces of information leakage and alert on all mobile permissions. Performing this check before the app hits the app store allows developers and consumers alike to rest a little easier, knowing that their sensitive data is being protected.