Android is essentially an open-source operating system where anyone can contribute (manufacturers can integrate it freely in their own devices), and the community of Android developers often release the code of the applications they develop.
This, which initially could be considered positive, may pose security problems that experts are starting to warn against: The fact that developers reuse the code of open-source libraries in their apps may cause them to also copy the bugs and security flaws that these may contain. Security flaws that are widely known among attackers. The result? Hundreds of devices suffering from the same security vulnerabilities.
The research reveals that affected apps send user data to third party advertising networks without the victims’ knowledge.
One in ten apps send the user’s device ID, location data and even the user’s mobile phone number to a third party. In addition, one in ten applications connect to more than two ad networks. Researchers believe that many of the developers of these applications are not aware of the vulnerabilities included in the code.
According to the report, 80 to 90 percent of mobile app software is made up of re-used libraries, as many developers don’t want to spend time and effort developing code from scratch or properly checking the code they use, leading to dangerous consequences.
Back in April we learned of the appearance of Heartbleed, a serious bug that affected one of the most popular communication encryption protocols. The bug affected hundreds of Internet servers worldwide (almost two-thirds of the Web) because of a security hole in an OpenSSL library.
The vulnerability was very serious as it allowed anybody with sufficient technical knowledge to access the sensitive data stored on (presumably safe) servers.
The flaw was fixed in most affected servers, but there is the possibility that apps containing reused code might inherit it if the developers don’t take appropriate precautions.
However, it is rare that developers research a library’s creator before using it in their code. Additionally, end users who commission the development of mobile apps are unlikely to be aware of the fact that the apps reuse software libraries connecting them to advertising networks which may potentially steal sensitive personal data.
End products inherit vulnerabilities due to poor software design or logic errors in implementations which could be easily identified and patched. The problem, according to the report, is more worrying when developers act intentionally. This means that they could be getting paid for leaving these security holes open and allowing private information to leak.
Panda Security’s Android antivirus includes a Privacy Auditor feature that allows users to check the information used and sent by installed apps, and display apps permissions.