The Inquirer-Home

Half of most popular Android apps inherit security vulnerabilities from reused code

Firm that uncovered Heartbleed gears up to name blameworthy developers
Mon Jul 28 2014, 11:32

Android logoRESEARCHERS that discovered the Heartbleed security vulnerability have warned that over half of the 50 most popular Android mobile apps have inherited security vulnerabilities through the irresponsible recycling of software libraries.

Codenomicon, which coined the term "Heartbleed" upon discovering the OpenSSL flaw, will name and shame app developers later this month when it publishes its findings on those that neglected robust security practices.

Preliminary results from a study by Codenomicon revealed that over half of the 50 most popular Android apps submit the user's Android ID to third party advertising networks without permission.

The study found that one in 10 apps send either a device's IMEI code or location data to a third party, one in 10 apps connected to more than two ad networks, and surprisingly, one even sends the user's mobile phone number.

It also found that over 30 percent of the apps transmit private data in plain text and plenty more are not encrypting the transfer of this data.

Codenomicon chief security specialist Olli Jarva, told ITnews that 80 to 90 percent of mobile app software is made up of reused libraries, most of which are available under open source, and that was because developers "did not want to invest in reinventing the wheel" with every app that they release.

"We're seeing the end products inherit vulnerabilities - sometimes it's just poor software design or logic errors in implementations, and sometimes those bugs are identified and patched. Sometimes, like in the case of Heartbleed, they are not identified for two years."

Jarva suggested that some developers "act intentionally", which is even more worrying.

"Some people might have been providing a vulnerability on purpose in order to do something nasty once the code has been distributed," he added. "Who are they working with? Do they have side-line jobs somewhere else? The developers might be getting their dollars from ad networks."

Heartbleed is considered the worst thing to happen to the internet since selfies, and web servers are still suffering from the fallout of the Heartbleed vulnerability.

Shaking the industry like a bear might a salmon, Heartbleed caused most companies to come forward and issue alerts and patches. Some laggard servers remain though, and according to security researchers over 300,000 are still vulnerable to exploits.

In the wake of the Heartbleed bug, the Linux Foundation founded the Core Infrastructure Initative, financially supported by the industry, with a remit to ensure that SSL connections remain safe from another similar vulnerability. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Masque malware is putting iPad and iPhone user data at risk

Has news of iOS malware made you reconsider getting an iPhone?