A new study to be published this week revealed that nearly half of the Top 50 Android mobile apps inherit vulnerabilities through the recycled code used by developers.
The Codenomicon research team, who also discovered the massive OpenSSL Heartbleed vulnerability, found that many of the most popular developers lack security practices to ensure applications are safe and bug-free.
Codenomicon’s chief security specialist Olli Jarva reported that 80-90 percent of mobile app software is made up of re-used libraries, most of which are obtainable through open source. Jarva also noted that it was not uncommon for developers to avoid “investing in reinventing the wheel” on every new app pushed to the market.
“We’re seeing the end products inherit vulnerabilities—sometimes it’s just poor software design or logic errors in implementations, and sometimes those bugs are identified and patched,” said Jarva. “Sometimes, like in the case of Heartbleed, they are not identified for two years.”
Although researchers found that many of the developers were unaware that the recycled code included unpatched vulnerabilities, Jarva claims there are instances when the flawed codes are provided intentionally for malicious purposes.
In addition, the study showed that more than half of the Top 50 apps disclose user data, such as Android ID, location data and mobile phone number, to third-party advertisers without a user’s consent. Ten percent of applications were found to be connected to more than two ad networks and more than 30 percent of the apps transmitted private data in plain text, while others did not use proper encryption.
“IT security should be concerned by any app that sends irrelevant or sensitive information to third, fourth, and fifth parties if this communication doesn’t align with what the app purports to do,” said Jarva.
However, the amount of apps released every day continues to grow at a fast pace and the Google Play Store now offers more than 1.3 million Android apps to users, with close to 20 percent considered to be designed with low-quality.
“The difficulty we face is that the motivating factor for app delivery is rarely the quality of security,” said Jarva. “More testing means more time spent, and that means more cost for the developer and a higher price for the solution. It only becomes an issue when something bad happens.”
To learn more about the Heartbleed vulnerability and to make sure you’re protected, check out our blog post here.
Read More Here…