Synopsys recently released a report, “Peril in a Pandemic: The State of Mobile Application Security,” produced by its Cybersecurity Research Center (CyRC), examining the state of mobile application security during the COVID-19 pandemic. The study encompassed 3,335 of the most popular Android mobile applications on the Google Play Store as of the first quarter of 2021.
Leveraging Synopsys’ Black Duck Binary Analysis, the CyRC found that the majority of applications (63%) contained open source components with known vulnerabilities. The CyRC also uncovered other concerning security issues, including sensitive data exposure and excessive mobile permissions.
The analysis focused on 18 popular mobile application categories that grew explosively due to the pandemic and the lockdowns that made it necessary to access everything from work to gyms to classrooms from home. These categories included education, business, and health and fitness. The CyRC found that at least one-third of the applications in all 18 categories contained known vulnerabilities.
The state of mobile application security
Open source vulnerabilities in mobile applications are pervasive. Consumers often assume that applications — especially those that are particularly sensitive, like banking — are secure, but that’s not always the case. The CyRC found that vulnerable apps contained an average of 39 vulnerabilities, and in total, identified more than 3,000 unique vulnerabilities that appeared more than 82,000 times.
Information leakage is a problem. Information leakage occurs when developers inadvertently leave behind sensitive data or personal information in the source code of the applications they are developing. In the wrong hands, this information can provide clues and assist malicious actors in gaining access to a system. The CyRC discovered thousands of cases of information leakage in the apps it examined.
Mobile permissions are excessive. The level of permissions required by an application to function properly varies, however, it should never exceed what is absolutely necessary. The CyRC’s analysis of mobile application security discovered a multitude of arguably egregious permission requirements. One app required 11 permissions that Google classifies as “Protection Level: Dangerous.” Another app with over 5 million downloads required a total of 56 permissions, 31 of which Google classifies as “Protection Level: Dangerous” or as signature permissions that are not to be used by third-party apps. There is simply no reason for this level of access to a user’s device.
Key findings by category
Overall, at least 80% of the applications in the top 6 of the 18 categories contained known vulnerabilities, including games and banking, budgeting, and payment apps.
The lifestyle and health and fitness categories both had the lowest percentage of vulnerable apps, at 36%.
The banking, payment, and budgeting categories all had the highest average number of mobile device permissions required, well above the overall average of 18.