About 20 percent of the most popular Android Apps available through the Google Play Store contain open source components with known security vulnerabilities that can be exploited by hackers, according to a report Insignary will release next week.
The findings are the result of the company's recent comprehensive binary code scan of the 700 most popular Android Apps on the Google Play Store. Insignary is a binary-level open source software security and compliance firm.
It leveraged its Insignary Clarity fingerprint-based binary scanning technology to analyze Android Package Kit (APK) files for known open source security vulnerabilities, and found them in one out of every five Android apps. Some were serious code flaws.
"With today's software and development procurement model, it has been almost impossible to know what open source components reside in software. Our tool is the first to be able to catalog all open source components in binary format -- the software consumers receive and use -- and report which components are known to harbor known security vulnerabilities," said Tae-Jin (TJ) Kang, CEO of Insignary.
The company's binary scanning tools also work on enterprise software, but the large library of open source Android applications provided a better opportunity to demonstrate the number of known security vulnerabilities that lurk in today's code, he said.
Key Points
Insignary's research and development team scanned the APK files during the first week in April. The team selected the 20 most popular apps in each of the 35 Android app categories, including game, productivity, social, entertainment and education, among others.
There were significant flaws in programming code in apps offered at the Google Play Store by the top software vendors, the binary scans indicated. Of the 700 APK files scanned, 136 contained security vulnerabilities.
Other findings:
57 percent of the APK files with security vulnerabilities contained vulnerabilities that were ranked as "Severity High." This rating means that the deployed software updates remain vulnerable to potential security threats.
86 of the 136 APK files with security vulnerabilities contained vulnerabilities associated with openssl.
58 of the 136 APK files with security vulnerabilities contained vulnerabilities associated with ffmpeg and libpng. The prevalence of those open source components can be attributed to the abundance of images and videos in mobile applications.
Interestingly, three of the APK files scanned contained more than five binaries with security vulnerabilities. The majority of APK files with vulnerabilities contained one-to-three binaries with security vulnerabilities.