Twitter has announced that it has found a security vulnerability in its Android app.
Twitter said that the problems related to an Android security issue in OS 8 and 9. According to Twitter, around 96 percent of people using Twitter for Android already have a security patch for this vulnerability. The company added that it has not found any evidence that this security flaw was exploited, but it can’t be completely sure.
Ray Kelly, principal security engineer at WhiteHat Security, a San Jose, Calif.-based provider of application security, says, “This demonstrates the challenges mobile app developers have around securing their companies applications. Mobile apps are more complex in that vulnerabilities can exist on the back end server, application code and in this case, the underlying OS itself. Often times companies are playing catchup around mobile app security due to the ever changing environment of SDKs and OS versions.”
Christoph Hebeisen, Director, Security Intelligence Research at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, notes, “The vulnerability Twitter addressed recently was not a flaw in the Twitter app - the app used documented Android functionality but the implementation of that functionality in Android was flawed leading to a possibility of disclosure of private data to a malicious app running on the same device. Twitter’s fix for this is a workaround to keep private data safe from attacks on this particular Android vulnerability. The bug in Android was fixed in October 2018 - only devices whose manufacturer support had ended before that date were affected by this. This is another reminder of how important it is to use only devices that receive regular security updates - devices with patch levels old enough to be susceptible to this vulnerability also contain bugs that would allow a complete system compromise exposing the private data of all apps on the device.”