The report, "Security Risks in a Pandemic: The State of Mobile Application Security," has recently been released. Produced by the Synopsys Cybersecurity Research Center (CyRC), this report examines the findings of a first-quarter 2021 study of 3,335 of the most popular Android mobile applications on the Google Play store. The report reveals that the vast majority of applications (63%) contain open-source components with known security vulnerabilities, highlighting widespread security risks, including sensitive data exposed in application code and excessive use of mobile device permissions.

The report focuses on 18 popular mobile application categories, some of which exploded during the pandemic, including business, education, health, and fitness. These applications ranked highly in Google Play Store downloads or sales charts. While the security analysis results varied by application category, at least one-third of applications in all 18 categories contained known security vulnerabilities.

Yang Guoliang, a senior security architect in the Synopsys Quality and Security Group, told reporters that after analyzing more than 3,000 applications, he found three potential security risks: First, open-source components. Security vulnerabilities are a fundamental issue; these vulnerabilities and attacks could lead to data leaks, as mentioned earlier. Overly soliciting user permissions is another problem. For example, an app might ask for your location information even if it's entirely irrelevant, or it might access your phone book. This is also a potential security issue. Second, sensitive information leakage. In these applications, it may not just be the user's sensitive information but also that of the application's developers; cryptographic key pairs may be mistakenly left in the application package. If exploited by hackers, this poses a direct threat to both individuals and manufacturers. Third, excessive requests for authority.

Specifically, Open-source vulnerabilities in mobile applications are extremely common. Of the 3,335 applications analyzed, 63% contained at least one open-source component with a known vulnerability. Vulnerable applications contained an average of 39 vulnerabilities. CyRC discovered a total of more than 3,000 unique vulnerabilities, which appeared more than 82,000 times.

Known vulnerabilities are addressable. While the number of vulnerabilities discovered in this study is daunting, what's more surprising is that 94% of the detected vulnerabilities have publicly documented fixes, meaning that security patches or updates and more secure versions of the open-source components are available. Furthermore, 73% of the detected vulnerabilities were first publicly disclosed at least two years prior, indicating that application developers have not considered the security of the components used to build their applications.

In-depth analysis of high-risk vulnerabilities. More thorough analysis revealed that CyRC considers nearly half (43%) of the vulnerabilities to be high-risk, as they have either been actively exploited or are associated with documented proof-of-concept (PoC) exploits. Less than 5% of vulnerabilities are associated with exploits or PoC exploits and have no available fix. 1% of vulnerabilities were categorized as remote code execution (RCE) vulnerabilities, considered by many to be the most serious. 0.64% of vulnerabilities were categorized as RCE vulnerabilities associated with active attacks or PoC attacks.

Information leakage. When developers inadvertently leak sensitive or personal data in an application's source code or configuration files, this information can likely be used by malicious actors to launch further attacks. CyRC discovered tens of thousands of instances of information leakage, exposing potentially sensitive information ranging from private keys and tokens to email addresses and IP addresses.

Excessive use of mobile device permissions. Mobile applications typically require access to certain functionalities or data within a mobile device to function effectively. However, some applications carelessly or secretly request access to far more permissions than necessary. The mobile applications analyzed by CyRC requested an average of 18 device permissions, including an average of 4.5 sensitive permissions or permissions that require repeated access to personal data, and an average of 3 categorized as “not allowed for third-party applications” by Google. Applications with over one million downloads requested 11 permissions categorized as “dangerous protection level” by Google. Another application with over five million downloads requested a total of 56 permissions, 31 of which were categorized by Google as “dangerous protection level”; permissions not allowed for third-party applications or signature permissions.

Comparing application categories. In six of the 18 categories, at least 80% of applications contained known vulnerabilities, including gaming, banking, budgeting, and payment applications. The lifestyle and health & fitness categories had the lowest percentage of vulnerable applications at 36%. Banking, payment, and budgeting categories were also among the top three in the average number of mobile device permissions requested, significantly higher than the average across the 18 categories. Gaming, learning tools, education, and lifestyle apps requested the lowest average number of permissions.