Scan reveals known open source vulnerabilities in popular Android apps

Widespread use of unpatched open source code in popular Android apps is causing significant security vulnerabilities, warns the non-profit American Consumer Institute Center for Citizen Research (ACI).

ACI’s research team used Insignary’s Clarity binary code scanner to examine the ten most popular applications in the 33 main app categories in Google Play Store, and found that 105 out of 330 contained known (CVE-numbered) vulnerabilities in their open source components.

The findings

The vulnerabilities range from low to critical, and can be exploited to compromise consumer and enterprise devices, to perform data theft, identity theft, fraud or corporate espionage.

“Critical vulnerabilities were found in many common applications, including some of the most popular banking, event ticket purchasing and travel apps,” the researchers noted.

“For example, Wells Fargo and Bank of America mobile apps each contained over 30 critical vulnerabilities. Other unpatched apps with critical vulnerabilities, according to Clarity’s scan, included Sephora, Vivid Seats, TripAdvisor and a wide array of applications that extensively use personal or financial information.”

High risk vulnerabilities were most frequent in apps in the entertainment, libraries and demo, finance, and productivity categories.

The researchers retested some of the apps a few weeks after the initial scan.

As noted before, the first sweep revealed that the Wells Fargo and Bank of America apps contained over 30 critical vulnerabilities, including CVE-2013- 0749, a vulnerability that could allow attackers remote access to devices that could crash the application or lead to denial of service attacks or memory corruption. The second scan revealed that all the vulnerabilities were patched.

“On the other hand (…) one popular app used as a platform to buy and sell event tickets, Vivid Seats, had the highest risk in its category, including 19 critical vulnerabilities. After retesting the newest software, the Clarity scans showed that the Vivid Seats software was still suffering from the
same vulnerabilities,” the researchers reveled.

Positive action is needed

The researchers believe that Google App Store apps are a suitable proxy for all enterprise, consumer and embedded software that utilizes open source components and that application developers need to invest the resources and institute processes for finding known security vulnerabilities in their code and patching them.

“This is a logical, first step in a more comprehensive effort needed to protect consumers and businesses from hackers. Before government regulators intervene, application developers should take immediate, proactive steps to patch their applications that contain open source components and notify consumers when software updates are available. The potential for serious damage will only increase as open source code becomes even more widely used,” they concluded.