搜索
Search
Search
Endela Electronics(Shenzhen)Co.,Ltd.
/
/
/
The report shows: the vast majority of applications contain open source components with known security vulnerabilities

NEWS

Check category

CONTACT US

Endela Electronics(Shenzhen)Co.,Ltd.

Tel: + 86 - 755 - 8259 8974

Fax: + 86 - 755 - 8524 0865

E-mail: wade@endela.cn

http://www.hkendela.com

Add: Block A5,Lougang Lantian Technologic Park,Songgang,Baoan District,Shenzhen,China .

The report shows: the vast majority of applications contain open source components with known security vulnerabilities

  • Categories:Industry News
  • Author:
  • Origin:http://www.cena.com.cn/ia/20210420/111541.html
  • Time of issue:2021-04-25 17:04
  • Views:

The report shows: the vast majority of applications contain open source components with known security vulnerabilities

Information

The report "Security Hazards in the Epidemic: The State of Mobile Application Security" was released recently. The report was produced by Synopsys Network Research Center (CyRC) and reviewed the results of the research conducted on the 3,335 most popular Android mobile apps in the Google Play Store in the first quarter of 2021. The report shows that the vast majority of applications (63%) contain open source components with known security vulnerabilities, and emphasizes the widespread security risks, including sensitive data exposed in the application code and excessive use of mobile device permissions.

 

The report focuses on 18 popular mobile application categories, some of which have exploded during the epidemic, including business, education, and health and fitness. These applications are in the Google Play store download rankings or best-selling rankings. Although the results of security analysis vary by application category, in all 18 categories, at least one-third of applications contain known security vulnerabilities.

 

Yang Guoliang, senior security architect of Synopsys Software Quality and Security Department, told reporters that after analyzing more than 3,000 apps, he found that there are some potential security risks in three areas: the first is the open source component. Security vulnerabilities, this is a more basic level, it will cause some data leakage due to these security vulnerabilities, or some cases of being attacked, as well as those that may be more related to our personal or personal senses, as just mentioned. If we have been there, we will face APPs frequently and excessively asking for your permission. For example, if it is completely unrelated to geolocation, it will ask for your geolocation information, such as some apps that are completely unrelated to your phone calls. , He will also check your phone book, etc. This is also a potential security issue. The second is the leakage of sensitive information. In these apps, it may not only be the user's sensitive information, but also the manufacturers of these apps. It may leave some encrypted key pairs in these apps by mistake. The APP package is spread out. If these are used by hackers, they will directly pose a threat to individuals and manufacturers. The third is excessive demand for authority.

 

Specifically, open source vulnerabilities in mobile applications are very common. Of the 3,335 applications analyzed, 63% contained open source components with at least one known vulnerability. Vulnerable applications contain an average of 39 vulnerabilities. In total, CyRC found more than 3,000 unique vulnerabilities, and these vulnerabilities appeared more than 82,000 times.

 

The known vulnerabilities can be resolved. Although the number of vulnerabilities found in this study is daunting, it’s even more surprising that 94% of the vulnerabilities detected have publicly documented fixes, which means security patches or updates and more Safe versions of open source components are available. In addition, 73% of the detected vulnerabilities have been disclosed to the public for the first time at least two years ago, indicating that the developers of the application did not consider the security of the components used to build the application.

 

In-depth analysis of high-risk vulnerabilities. A more thorough analysis shows that CyRC believes that nearly half (43%) of the vulnerabilities are high-risk vulnerabilities because these vulnerabilities have been actively exploited or are related to a documented proof-of-concept (PoC) exploit. Less than 5% of vulnerabilities are related to exploits or PoC exploits, and no fixes are available. 1% of vulnerabilities are classified as remote code execution (RCE) vulnerabilities, which many people consider to be the most serious vulnerabilities. 0.64% of vulnerabilities are classified as RCE vulnerabilities and are related to active exploits or PoC exploits.

 

Information leakage. When developers unintentionally disclose sensitive or personal data in the source code or configuration files of an application, this information is likely to be used by malicious attackers to launch subsequent attacks. CyRC found tens of thousands of instances of information leaks, and potentially sensitive information from private keys and tokens to emails and IP addresses were exposed.

 

Excessive use of mobile device permissions. Mobile applications usually require access to certain functions or data in your mobile device to function effectively. However, some applications rashly or secretly require access permissions far beyond necessity. The mobile applications analyzed by CyRC require an average of 18 device permissions, including an average of 4.5 sensitive permissions or permissions that require multiple access to personal data, and an average of 3 are classified as "not available to third-party applications" by Google Use ” permission. An application with more than one million downloads requires 11 permissions. These permissions are classified as "Dangerous Protection Level" by Google. Another application with more than five million downloads requires a total of 56 permissions, of which 31 are classified by Google as "dangerous protection level" permissions or signature permissions that are not allowed by third-party applications.

 

Compare application categories. In 6 of the 18 categories, at least 80% of applications contain known vulnerabilities, including games, banking, budgeting, and payment applications. The lifestyle and health and fitness categories accounted for the lowest percentage of vulnerable applications, at 36%. The banking, payment, and budget categories also rank among the top three in the average number of permissions required for mobile devices, which is much higher than the average of the 18 categories. Games, teaching aids, education and lifestyle applications require the lowest average number of permissions.

 

Keyword:

How to resolve the contradiction between the supply and demand of talents in the field of industry and information technology

How to resolve the contradiction between the supply and demand of talents in the field of industry and information technology

“Talents are the first element of industrial development and technological innovation. High-quality industrial development must be matched with high-quality talents. ”Recently, at the first industrial talent innovation and development forum hosted by the Talent Exchange Center of the Ministry of Industry and Information Technology and a series of reports on talent demand forecasting in key fields of industry and information technology, the Institute of Public Management and Human Resources, Development Research Center of the State Council Director Li Jianwei especially emphasized the important role of talents in the development of industry and information industry. The development of the industry is inseparable from the support of a high-quality talent team. Only with strong talents can the manufacturing industry be strong and the information industry can flourish. The golden age of the development of industry and information industry has quietly begun. How can my country solve the problem of the supply and demand of talents in the field of industry and information technology?
The 2020 annual reports of the three major operators are released, and the investment in 5G construction will continue to increase in the future

The 2020 annual reports of the three major operators are released, and the investment in 5G construction will continue to increase in the future

On March 25, China Mobile announced its 2020 annual performance report. So far, China Mobile, China Telecom, and China Unicom have all released their 2020 annual reports. In the past year, the total revenue of the three major operators reached 1,465.5 billion yuan, and the net profit was 141.2 billion yuan, all achieving positive growth.
The white paper points out that blockchain will become an indispensable option in privacy computing products

The white paper points out that blockchain will become an indispensable option in privacy computing products

Privacy computing is a key technology path to ensure data security and compliance in the process of data fusion applications. Its business models, application scenarios, technological changes, industrial trends, legal issues, etc. are becoming current political, industry, academic, research, and application concerns. Hot spot. Recently, Tencent released the "Tencent Privacy Computing White Paper 2021" to explore privacy computing from multiple perspectives such as the development background of privacy computing, technical systems, key application industries and scenarios, data security compliance, and future development prospects.

LINK: Industrial voltage regulator   AC voltage regulator   Induction voltage regulator

ONLINE MESSAGE

留言应用名称:
客户留言
描述:

Copyright © 2021 Endela Electronics Company, Limited  All rights reserved  粤ICP备11024848号   Powered by www.300.cn