/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2019/11/vulnerabilities-in-apps.jpg)
Most mobile users understandably worry about known vulnerabilities in the core operating system of their devices, which can give an attacker complete control over their mobile phones, and about zero-day vulnerabilities which haven’t yet been addressed by the software vendors. The common perception is that as soon as a vulnerability is discovered in a software component, it’s immediately fixed. Therefore, by maintaining up-to-date versions of the mobile OS and all apps, you can keep your mobile device secure. However, Check Point Research shows that even long-since fixed vulnerabilities can be critically important, as outdated code can find its way into even the most popular apps.
A popular mobile app typically uses dozens of reusable components written in a low-level language such as C. These components, called native libraries, are often derived from open-source projects, or incorporate fragments of code from open-source projects. When a vulnerability is found and fixed in an open-source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using these native libraries. This is how an app may keep using the outdated version of the code even years after the vulnerability is discovered. It may be overstating matters a bit to declare such an app vulnerable, as its flow may never reach the affected library code, but it certainly warrants an in-depth investigation by the app maintainers.
To verify our hypothesis that long-known vulnerabilities may persist even in apps recently published on Google Play, we scanned them for known patterns associated with vulnerable versions of open-source code. The following tables summarize our results, as of June 2019, for three vulnerabilities of critical severity (Arbitrary Code Execution) from 2014, 2015 and 2016. The list includes hundreds of popular Android apps, including Yahoo Browser, Facebook, Instagram and WeChat.
CVE-2014-8962 (FLAC audio codec)
https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e
CVE-2015-8271 (FFmpeg RTMP video streaming)
http://git.ffmpeg.org/gitweb/rtmpdump.git/commit/39ec7eda489717d503bc4cbfaa591c93205695b6
CVE-2016-3062 (FFmpeg libavformat media handling)
http://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7e01d48cfd168c3dfc663f03a3b6a98e0ecba328
An additional CVE-2016-3062 vulnerability has been identified by our tests on the Instagram application (com.instagram.android). In a corresponds with Facebook we were notified that
“Instagram isn't impacted by CVE-2016-3062 and we've had a patch in place since it was surfaced.”
It`s important to note as stated earlier that the focus of our research was on the state of security in application on Google Play and does not focus on any specific vulnerability in any specific application. This also applies to the Instagram example stated above.
Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution. Can you imagine how many popular apps an attacker can target if he scans Google Play for a hundred known vulnerabilities?
The following demo shows the PoC video file from the original CVE-2016-3062 report causing the latest version of VivaVideo app (com.quvideo.xiaoying, over 100 million downloads) to crash.
Conclusion
If you have a mobile device, you know how important it is to keep the core operating system and all installed apps up to date. It comes as a shock to discover that these precautions are of no help when the app maintainers neglect to incorporate security fixes into their versions of popular components. Keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task, and it’s no surprise that few maintainers are willing to expend the effort. Mobile app stores and security researchers do proactively scan apps for malware patterns, but devote less attention to long-known critical vulnerabilities. Unfortunately, this means there’s not much the end user can do to keep his mobile device fully secure.
Research by Slava Makkaveev