Cutting corners: Research shows that trusting Google to be the best gatekeeper for the Play Store isn’t the best idea. The company is putting a lot of effort into finding apps that are malicious or contain severe security vulnerabilities, but usually after letting them into the Store with as little vetting as possible. Experts are calling attention to a new point of attack that can even be used against some of the most popular apps.
Most people use smartphones without worrying about the security of essential apps we use in our daily lives. Google routinely removes apps that are found to contain malware or adware, as well as apps that are crafted specifically to dupe you into paying for subscriptions. And most of us would assume that updating our apps and mobile operating system to the latest revisions means that any potential for security vulnerabilities are reduced to a minimum.
It turns out that isn’t the case, even for big name apps. According to a report from cybersecurity firm Check Point, there are tens of vulnerabilities that are found every day, some of them in the apps themselves and others in external shared code libraries that are used by those apps to enable specific features. Updating them to keep up with the most current security threats is a monumental task, so app developers have to prioritize which ones get fixed first.
The researchers decided to take a look at how many apps in the Google Play Store are currently still using vulnerable libraries. They hunted specifically for three vulnerabilities that are rated critical and were disclosed in 2014, 2015, and 2016. This won’t surprise the infosec community, but the resulting list includes over 800 popular Android apps and games that have been downloaded a total of 5 billion times.
Among the affected apps are some that people use very frequently, like Facebook, WeChat, Messenger, Instagram, AliExpress, TuneIn and SHAREit. The shared libraries have all been updated since the vulnerabilities were discovered, but new versions of those popular apps still use the outdated libraries.
Facebook says that’s not a problem because of the way its apps are coded, those vulnerabilities are useless for potential attackers. Google is currently investigating and trying its best to push app developers to work on fixes. Then again, the company wanted to flood its app store with apps with permissive policies, which ultimately led to a situation where new apps aren’t vetted properly and popular apps don’t get fixed unless there is public pressure to do so.
Check Point researchers note that while the apps might not use those old libraries that often, that still doesn’t count as good security. The vulnerabilities selected for this analysis are likely not the only ones, and they leave an open door for determined attackers, who are more likely to try and exploit a well-known vulnerability as opposed to the latest techniques.
This may not be as big of an issue as apps that imitate the look and feel of popular apps to siphon your personal data. And app developers may dismiss the new findings as insignificant. But you only need to look at Google’s bug bounty programs to see why keeping track of all external components of mobile apps is worth it.
This year over 1,000 Android apps were found to harvest your personal data even after you deny them any relevant permissions after installing them. Interestingly enough, the apps themselves were relatively secure, but they used third-party libraries that were littered with code that could be used for data collection.
- Prehistoric baby sharks were raised in NURSERIES 16 million years ago, fossilised megalodon teeth reveal
- Giant SHARK — possibly a megalodon — sunk its teeth into a baleen whale 15 million years ago, bite marks on a flipper bone reveal
- Warning over 23 dodgy Android apps that record you through your camera – delete them NOW
- 22 royal mummies, kings and queens who died more than 3,000 years ago, get a parade to move to their new home
- China’s high-profile disappearances before Peng Shuai include Jack Ma, actress Fan Bingbing
- As the world asks #WhereIsPengShuai, here's a look at what drives high-profile disappearances in China
- CBS News poll: A third of Americans are eating less meat than a few years ago
- First known sexual transmission of Zika virus in U.S. was eight years ago
- Fossil of early hominid child who died almost 250,000 years ago found in South Africa
- Virus probably killed prince from Matejovce 1,600 years ago
- Kyle Rittenhouse’s former lawyer predicted weapons charge dismissal a year ago in politically charged case
- Remains of ancient food eaten by humans 65,000 years ago discovered in Australia
- California Leaders Vow to Crack Down After High-Profile Burglaries
- Viewership for high profile second night of the DNC fails to live up to past years, early data shows
- What drives high-profile disappearances in China? An explainer
- Remains found in Colorado national park may belong to man who vanished 38 years ago
- $66 million Klimt painting stolen 20 years ago may have been found
- Clippers Draw Some High-Profile Offers
- Yellowstone volcano supereruption 2 million years ago lasted for decades, researchers find
- EastEnders legend looks unrecognisable after quitting BBC soap 31 years ago
Several high profile Android apps still have vulnerabilities discovered years ago have 896 words, post on www.techspot.com at November 23, 2019. This is cached page on TechNews. If you want remove this page, please contact us.