Studies have shown that making Google the best janitor for the Play Store is not the best idea. The company is working hard to find malware or applications that contain serious security vulnerabilities, but usually, put them into the store after as few as possible audits. Experts call attention to new attack points and can even use them for some of the most popular applications.
When most people use a smartphone, there is no need to worry about the security of the basic applications we use in our daily lives. Google periodically removes apps that are found to contain adware or malware, as well as apps designed to trick you into paying for subscriptions. And most of us believe that updating our application and mobile operating system to the latest version means minimizing any potential security risks. This turns out to be the case, even for well-known applications. According to a report by network security company Check Point, dozens of vulnerabilities are discovered every day, some of which are in the app itself, while others are in outside shared code libraries that these applications use to enable specific features. Modernizing them to keep up with the latest security dangers is a daunting task, so application developers must identify the threats that are prioritized. The researchers decided to look at applications in the Google Play store that are still using vulnerable libraries. They specifically hunted three vulnerabilities that were rated as severe, and these vulnerabilities were disclosed in 2014, 2015, and 2016. This will not surprise the InfoSec community, but the results list includes more than 800 popular Android apps and games, with a total of 5 billion downloads. Among the affected applications, there are apps that persons use regularly, such as Messenger, WeChat, FB, Instagram, SHAREit, TuneIn, and AliExpress. Shared libraries have been updated since the discovery of the vulnerability, but newer versions of these popular applications still use outdated libraries. Facebook said this is not a problem because the way its applications are coded is useless for potential attackers. Google is currently investigating and trying to push application developers to fix it. Again, the company wants to flood its app store with an application that allows policy, which ultimately leads to a situation where new apps are not adequately reviewed and cannot be repaired unless there is public pressure.
Check Point researchers point out that although these applications may not use those old libraries often, they are not very good security. The vulnerabilities selected for this analysis may not be unique, they open the door to certain attackers who, contrary to the latest technology, are more likely to try to exploit well-known vulnerabilities. This may not be as big as an application that mimics the look of popular apps to steal your private data. Application developers may think that new discoveries are trivial. However, you only need to look at Google’s Vulnerability Bounty Program to see why it’s worthwhile to track all the external components of your mobile app. This year, even if you refused any permissions after installation, you will find that more than 1,000 Android apps collect your personal data. Interestingly, these applications are relatively secure in their own right, but the third-party libraries they use are interspersed with code that can be used for data collection.