April 24, 2018 – Insignary, the global leader in binary-level open source software security and compliance, is unveiling the results from a recently completed, comprehensive binary code scan of the 700 most popular Android apps on the Google Play Store. For the first time, Insignary Clarity™ has leveraged its unique fingerprint-based binary scanning technology to analyze Android Package Kit (APK) files for known open source security vulnerabilities. The findings show that approximately 1 in 5 of the most popular Android apps available on the Google Play Store contains open source components that are known to harbor known security vulnerabilities that can be exploited by hackers. Users may visit the free site www.TruthIsIntheBinary.com to test for themselves if an APK file contains potential software vulnerabilities before they install it on their devices.
“With today’s software and development procurement model, it has been almost impossible to know what open source components reside in software. Our tool is the first to be able to catalog all open source components in binary files – the software format consumers receive and use – and report which components are known to harbor known security vulnerabilities,” said Tae-Jin (TJ) Kang, CEO of Insignary, Inc. “While our tool works on enterprise software, we felt that a good proxy for demonstrating the number of known security vulnerabilities that lurk in today’s code was to scan easily available apps. As a demonstration, we decided to examine the 700 most popular apps, by downloads, on the Google Play Store. We found that 20% of the Android apps scanned have open source components known to contain security vulnerabilities. Given that consumers and businesses rely as heavily as they do on their smartphones, we were surprised by the lack of the most basic security precautions app developers could take, namely to deploy updated software versions without known security vulnerabilities.”
About the Study
During the first week in April of 2018, Insignary’s research and development team scanned the APK files of the 700 most popular apps by downloads on the Google Play Store. The team selected the 20 most popular apps in each of the 35 main Android app categories, including “Games,” “Productivity,” “Social,” “Entertainment” and “Education,” among others.
Following are some of the key findings:
- The binary scans indicate that the Android apps available on Google Play Store by the top software vendors contain versions of open source components with security vulnerabilities. Out of the 700 APK files scanned, 136 contain security vulnerabilities.
- 57% of the APK files with security vulnerabilities contain vulnerabilities that are ranked as “Severity High,” meaning that the deployed software updates remain vulnerable to potential security threats.
- 86 out of the 136 APK files with security vulnerabilities contain vulnerabilities associated with openssl.
- 58 out of the 136 APK files with security vulnerabilities contain vulnerabilities associated with ffmpeg and libpng. The prevalence of these open source components can be attributed to the abundance of images and videos in mobile applications.
- Interestingly, three of the APK files scanned contain over five binaries with security vulnerabilities. The majority of APK files with vulnerabilities contain one-to-three binaries with security vulnerabilities.
- 70% out of the top 20 apps in the “Games” category contain security vulnerabilities.
- 30% out of the top 20 apps in the “Sports” category contain security vulnerabilities.
- This study demonstrates that 1 in 5 APK files does not utilize the correct, most up-to-date versions of the OSS components available.
The open source community has created new versions of the components to address almost all of the previously listed security vulnerabilities. Software developers and vendors can employ these versions to prevent data breaches and subsequent litigations that can cause significant corporate losses. Interestingly, during discussions with various vendors, Insignary encountered a few developers who expressed a preference in manually applying patches, line by line.
Though this ad hoc approach to addressing vulnerabilities may be used by others, it appears to be the exception, rather than the rule. Additionally, while this method may work, it is still recommended that Android app developers scan their binaries to ensure that they catch and address all known security vulnerabilities.
Insignary’s findings suggest two possibilities for the failure to use the correct component version by Android app developers. Either they are not aware of the open source software vulnerability issues, or they do not have a process or a tool that accurately finds and reports open source components known to contain security vulnerabilities.
About the Tool Used to Examine the Android APK Files
To effectively and accurately conduct this study, Insignary leveraged Clarity™, a security solution that enables proactive scanning of software binaries for known, preventable security vulnerabilities, while also identifying license compliance issues. It uses unique fingerprint-based technology, which works on the binary-level without the need for source code or reverse engineering. This makes it easy for software developers, value added resellers (VAR), systems integrators and MSPs overseeing software deployments to take proper, preventive action before software delivery.
Insignary’s Clarity is unique in that it scans for “fingerprints” from binary code to examine and then compare against the fingerprints collected from open source components in numerous open source repositories. Unlike checksum or hash-based binary scanners, Clarity does not need to keep separate databases of checksum or hash information for each CPU architecture. This significantly increases Clarity’s flexibility and accuracy in comparison to legacy binary scanners.
Once a component and its version are identified through Clarity’s fingerprint-based matching, comparing them to more than 180,000 known security vulnerabilities catalogued in numerous databases, such as NVD, is straightforward. Clarity also provides “fuzzy matching” of binary code and supports LDAP, RESTful API, and automation servers like Jenkins.