The Synopsys Cybersecurity Research Center (CyRC) analyzed more than 3,000 popular Android applications to assess the state of mobile app security during the COVID-19 pandemic. The study targeted the most downloaded and highest grossing apps across 18 categories, many of which have seen explosive growth during the pandemic. The research focused on three core areas of mobile app security:
  • Vulnerabilities: The presence of known software vulnerabilities in the applications’ open source components
  • Information leakage: Sensitive data such as private keys, tokens, and passwords exposed in the application code
  • Mobile device permissions: Applications requiring excessive access to mobile device data and features
 
The analysis reveals that the majority of apps contain open source components with known security vulnerabilities. It also highlights other pervasive security concerns including myriad potentially sensitive data exposed in the application code and the use of excessive mobile device permissions.
 
For consumers, this report highlights the jarring reality that even the most popular mobile apps are not immune to security and privacy weaknesses and should not be trusted implicitly. For app developers, this underscores the urgent need for secure software development practices and better overall privacy and security hygiene.
 

Key findings include:

App composition – open source is eating the app store! 3,267 (98%) of the apps contained open source software (OSS) components, with an average of 20 OSS components per app.

Open source vulnerabilities in mobile apps are pervasive:

  • Of the 3,335 mobile apps analyzed, 2,115 (63%) contained OSS components with at least one known security vulnerability. This means the majority of the top Android apps used today have some sort of vulnerability, regardless of application category (lifestyle, finance, etc.) or who developed it.
  • The vulnerable apps contained an average of 39 distinct vulnerabilities.
  • 3,137 unique vulnerabilities were identified, and they appeared 82,144 times.
  • 94% of the vulnerabilities detected have publicly documented fixes, meaning there are security patches or newer, more secure versions of the OSS component available.
  • 73% of the known security vulnerabilities are more than two years old.

A deep dive on high-risk vulnerabilities – A more thorough analysis of a subset of the vulnerabilities detected revealed:

  • The bad, the ugly, and the worst: Nearly half (44%) of the vulnerabilities detected are considered high risk because they either have been actively exploited, have documented proof-of-concept (PoC) exploits, or are classified as remote code execution (RCE) vulnerabilities.
    • 43% of the vulnerabilities detected are associated with an exploit or PoC exploit
    • 4.6% of the vulnerabilities detected are associated with an exploit or PoC exploit and have no fix available
    • 1% of the vulnerabilities detected are classified as a remote code execution (RCE) vulnerability, widely recognized as the most severe class of vulnerability
    • 0.64% are associated with a PoC/exploit and are classed as RCE

Information Leakage: Occasionally, developers unintentionally leave sensitive or personal data in the source code or configuration files of the application. In the wrong hands, this information can be used maliciously. CyRC found that information leakage is commonplace in mobile apps.

  • Tokens, keys, and passwords, oh my! Sensitive info like AWS keys, Google Cloud tokens, JSON web tokens, and user credentials are the equivalent of keys to the kingdom for an attacker because they can provide access to servers, systems, or other sensitive properties. From there an attacker can steal IP, plant malware, or launch compute resources that can cost application owners a lot of money.
  • IP addresses and URLs can serve malicious content or disclose private APIs, internal systems, or hidden vendor resources, offering malicious actors an open attack vector.
  • Email addresses accidentally left behind in source code can disclose internal systems (e.g., domains) and usernames. They can then be used as attack points (especially when combined with tokens or IP addresses) or for phishing attacks.
  • Of the 3,335 applications analyzed, CyRC discovered the following instances of information leakage:
    • 65 JSON web tokens (JWTs)
    • 26 AWS keys
    • 406 Twilio tokens
    • 804 Google Cloud tokens
    • 27 Facebook tokens
    • 60 Asymmetric private keys (RSA)
    • 817 OAuth tokens
    • 10,863 Email addresses
    • 27,568 IP addresses; 4 of which are flagged as suspicious
    • 365,227 URLs; 11 of which are flagged as suspicious by Google Safebrowsing

 

  • Excessive use of mobile device permissions – “Um, why is my meditation app able to redirect my phone calls?” To function effectively, mobile apps often require access to certain features or data from your mobile device. For example, a navigation app logically needs to access your location. But some apps recklessly (or maliciously) require far more access than they really need.
    • The mobile apps analyzed by CyRC require on average of 18 device permissions.
    • Digging deeper, they require an average of 4.5 sensitive permission, or those that require the most access to personal data.
    • They also required an average of 3 permissions that Google classifies as “not intended for third-party use”
    • One application with over 1 million downloads required 11 permissions that Google classifies as “Protection Level: Dangerous.” Google only classifies 32 permissions as Dangerous, so this is a lot!
    • One application with over 5 million downloads required a total of 56 permissions, 31 of which Google classifies as “Protection Level: Dangerous” or as signature permissions that are not to be used by third-party apps.

 

Analysis of Apps by Category

  • At least 80% of the apps in six of the 18 categories contained known vulnerabilities, including games, banking, budgeting, and payment apps. The lifestyle and health & fitness categories tied for the lowest percentage of vulnerable apps at 36%.
    • Percentage of scanned apps that contained vulnerable components
      • (ALL APPS: 63%)
      • TOP FREE GAMES: 96%
      • TOP GROSSING GAMES: 94%
      • BANKING: 88%
      • BUDGETING: 84%
      • TOP PAID GAMES: 80%
      • PAYMENT: 80%
      • TOP GROSSING APPS: 61%
      • TOP FREE APPS: 59%
      • PRODUCTIVITY: 58%
      • EDUCATIONAL APPS: 57%
      • TOOLS FOR TEACHERS: 56%
      • ENTERTAINMENT: 55%
      • FOOD AND DRINK APPS: 49%
      • TOP GROSSING DATING APPS: 47%
      • TOP FREE DATING APPS: 44%
      • TOP PAID APPS: 44%
      • LIFESTYLE: 36%
      • HEALTH AND FITNESS APPS: 36%
  • The banking, payment, and budgeting categories also ranked in the top three for highest average number of mobile device permissions required, well above the overall average of 18. Games, tools for teachers, education, and lifestyle apps require the lowest average number of permissions.
    • Average number of permissions required
      • (ALL APPS: 18)
      • BUDGETING: 26
      • PAYMENT: 25
      • BANKING: 25
      • TOP FREE APPS: 22
      • TOP GROSSING APPS: 21
      • TOP GROSSING DATING APPS: 20
      • HEALTH AND FITNESS APPS: 20
      • TOP FREE DATING APPS: 19
      • PRODUCTIVITY: 19
      • FOOD AND DRINK APPS: 17
      • ENTERTAINMENT: 17
      • EDUCATIONAL APPS: 17
      • LIFESTYLE: 16
      • TOOLS FOR TEACHERS: 16
      • TOP GROSSING GAMES: 16
      • TOP FREE GAMES: 13
      • TOP PAID APPS: 10
      • TOP PAID GAMES: 8