Reusable Mobile App Libraries Introduce Reusable Security Issues

Whenever you use a mobile device, you probably aren’t far from a cellular or WiFi connection. The apps on mobile devices are geared to interact with a range of content on the Internet, so connectivity demands are high, and most people just don’t think about the connection they use, as long as they can get a connection.

This is concerning because network connections rarely, if ever, provide any additional safety measures to protect their device and data. Under these conditions, the only protection comes from the app itself. There are millions of apps out there and apparently a lot of trust that those apps have the right protection.

Today, many apps are assembled out of multiple sets of libraries, allowing the developer to focus on the core app functions while relying on other code to provide supporting capabilities. Advertising is one example where code libraries are commonly reused, because app developers can monetize apps that are free to the end user. We’ve noted the problem of security risks and privacy violations in third party libraries, and highlighted many previous examples here in the Research Center. But just exactly how extensive are the issues with app security?

With so many app developers out there, there are clearly apps that have issues. In January, researchers took a look at a cross section of iOS apps that many expect to be designed with security in mind: mobile banking apps. When testing the apps for common security vulnerabilities, the apps turned out to be far less secure than one expected, and as Computerworld reported, in general the apps were considered a leaky mess.

Recently, the researchers that discovered the Heartbleed exploit turned their eyes to the Android app space, and found a similar set of issues. By looking at the top 50 apps on Android, they found that over half of the apps analyzed had glaring security issues. The ITWorld article points out that these issues come from the reusable libraries, which introduces questionable functions along with the stated functionality.

The bottom line is that one cannot trust the app to provide the necessary security. It’s simply not feasible for the average user to analyze the app itself and see what it is (or isn’t) doing. Organizations have a larger challenge; they need to be concerned about both the apps that the business needs, as well as any additional apps that the user may install. What’s becoming clear is that good mobile security requires linking together traditionally disparate worlds – tying together security policy decisions with knowledge of the app, user and device.

The only way to safely enable mobile devices is to bring together three core requirements for mobile security: managing the device, protecting the device, and controlling the data. These principles serve as the foundation for Palo Alto Networks GlobalProtect. To learn more, visit our GlobalProtect resources page.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42