60% of the most downloaded Android apps have at least one vulnerability, Synopsys found. In total, experts have identified 3,137 unique problems that can lead to data leakage. Russian experts point out that on iOS the situation may be the same or worse. Some of them believe that the discovered vulnerabilities pose a real threat, but agree that after 2020, attackers will increasingly attack applications, since the audience for mobile services has changed a lot during the pandemic.

Code content

Information security specialists from Synopsys analyzed 3,335 of the most downloaded mobile applications for Android in 18 categories, including games, financial utilities and others. It turned out that 98% of programs use modules based on open source code, that is, written by someone earlier: on average, 20 components per application.

The study also shows that 63% of applications contain at least one open source component with a vulnerability. On average, each application with potentially dangerous code has 39 information security problems. In total, the company discovered 3,137 unique vulnerabilities.

The overwhelming majority of the imperfections found (94%) are known to information security specialists, and ready-made fixes can be used to solve them. About 5% of the vulnerabilities found have not been patched to date. Almost 1% of detected vulnerabilities can be activated remotely.

An in-depth analysis showed that about 46% of imperfections are in the “high risk” group. They were either used by cybercriminals or have exploits (programs to exploit vulnerabilities).

In conclusion, the researchers emphasized that all the vulnerabilities found can potentially provoke a leak of confidential data. For example, addresses of sites you visit, IP addresses, email addresses, and more sensitive information like passwords.

Anton Ponomarev, director of ESET’s corporate business department, told Izvestia that the figures put forward by Synopsys are close to reality and are similar to the results of their company’s research.

Risky savings

Nikolay Anisenya, head of the mobile application security research group at Positive Technologies, explains the popularity of open source code by the fact that developing applications based on it is cheaper, faster, and avoids common programming mistakes.

The presence of vulnerabilities in products based on such code is due to the fact that in some cases developers consciously take risks and save on protection.

– A full range of measures can cost a lot of money, and developers inevitably take some risks. Mature companies with high turnover and many users take security measures. But startups consider it much more important to focus on functions and monetization, but not at all on the safety of their users, – said Nikolai Anisenya.

Sergey Nenakhov, head of the information security audit department at Infosecurity, has a similar opinion. He believes that developers of mobile applications rarely check the code they use for vulnerabilities in order to save time and money.

– As a rule, developers of mobile games and applications first of all try to release a product to the market as soon as possible and start making money before someone else implements their idea. The development and implementation of security at the initial stage greatly increases the release time of the product, – the expert explained.

Despite the fact that the study does not feature applications for iOS, problems with vulnerabilities in open source are present on this platform, experts say. And some do not exclude that the situation on iOS is even worse than on Android.

– iOS is a more closed platform for developers, where applications have much fewer features than on Android. Developers hope for the security of the operating system itself, sometimes not paying due attention to the basic principles of building secure applications, ”said Viktor Chebyshev, a mobile threat researcher at Kaspersky Lab.

Pavel Suprunyuk, head of the audit and consulting department of Group-IB, has a different opinion. IOS is doing better than Android, he said. After all, the Apple platform was originally designed to be more secure and more demanding on developers.

– Developers were given less freedom and more clear instructions on how and what to do. Hence, there were fewer liberties and opportunities to make mistakes, – said the specialist.

The danger is just around the corner

An ESET expert says that by the end of 2020, the problem of mobile application security has become more urgent than before. Indeed, during a pandemic, their audience has noticeably changed and has become more attractive to cybercriminals.

– Before the pandemic, games were at the top of application use, and 2020 pushed forward business applications, where vulnerabilities can do much more harm. The most alarming thing is that the highest percentage of risk is in banking and payment applications, – Anton Ponomarev shared his opinion.

According to him, mobile applications store a huge amount of personal information, including bank card details, accounts, passwords, encryption keys. And this data, the expert believes, becomes relatively easy to collect when there are vulnerabilities in applications.

– In total, experts identify 10 types of vulnerabilities, and the most important of them is the quality of the code. Poor-quality code can lead, among other things, to simplifying the collection of information, – explained Anton Ponomarev.

In turn, Nikolai Anisenya says that the presence of a component in an open source application with a vulnerability does not equal the possibility of exploiting this vulnerability. The components may not be fully involved by the application. Consequently, a vulnerability in the code of an unused part of a component becomes inaccessible to an attacker.

However, the specialist notes that the passive part of the component can be activated by the developers later – for example, after updating the application.

– If we consider that the vulnerable code is not always active and there are often limitations for exploiting the vulnerability, then in general you should not panic. But it’s worth insuring yourself with basic security measures: at least you should set up two-factor authentication in applications where it is available, – advised Nikolai Anisenya.

The Kaspersky Lab expert added that the degree of threat depends on the category of the application with the problematic code. For example, a vulnerability in a popular messenger is an extremely risky situation, while a vulnerability in a conditional Flashlight application is unlikely.

– Of course, the fact is alarming and requires a prompt response from the developers, and since there are patches, it means that everything can be fixed quickly enough. The question is how long ago the study was conducted and whether the developers of vulnerable applications were informed about it, – concluded Viktor Chebyshev.

At the time of publication, Izvestia had not received any comment from Synopsys.