This article was published on November 21, 2019

Popular Android apps are shipping with outdated bug-ridden software

Popular Android apps are shipping with outdated bug-ridden software
Ravie Lakshmanan
Story by

Ravie Lakshmanan

Researchers have found that several popular Android apps, including Facebook, AliExpress, and WeChat, come with outdated software components that contain unpatched security flaws.

Native vulnerabilities in third-party mobile apps are one kind. Those at the operating system level are another. Both necessitate that device makers and software vendors issue patches on a timely basis to mitigate the risk of such exploits.

But what if these apps contain old software components that harbor vulnerabilities which have been long fixed? This is exactly what researchers over at cybersecurity firm Check Point Research set out to find.

“To verify our hypothesis that long-known vulnerabilities may persist even in apps recently published on Google Play, we scanned them for known patterns associated with vulnerable versions of open-source code,” researchers Artyom Skrobov and Slava Makkaveev said.

Mobile apps generally make use of readily available off-the-shelf components (aka libraries) to achieve a specific functionality. As is often the case with any piece of software, when vulnerabilities are uncovered in such open-source libraries, app developers need to ensure that their apps are updated to include the fixes as and when they’re available.

But Check Point researchers said they found dozens of Android apps — such as Yahoo Browser, Facebook (and Messenger), AliExpress, SHAREit, and WeChat — which incorporate out-of-date vulnerable libraries.

The flaws affect audio and video playback libraries — CVE-2014-8962, CVE-2015-8271, and CVE-2016-3062 — that could potentially allow an attacker to execute arbitrary code, all of which have been fixed over two years ago.

“People using Facebook services are not vulnerable to any of the issues highlighted by Check Point due to the design of our systems that use this code,” a Facebook spokesperson told TNW.

Instagram was initially identified as one of the affected apps, but has since been ruled out. “Instagram isn’t impacted by CVE-2016-3062 and we’ve had a patch in place since it was surfaced,” Facebook told Check Point.

It’s worth pointing out that the presence of the flaws alone doesn’t mean the apps are susceptible to exploits. It just goes on to show that app maintainers need to be more rigorous about ensuring their apps are shipped with up-to-date individual software parts.

Unfortunately, as a user of these apps, there isn’t much you can do to keep your devices secure, as these flaws persist even if they’re updated to the latest version.

“If you have a mobile device, you know how important it is to keep the core operating system and all installed apps up to date,” the researchers concluded. “It comes as a shock to discover that these precautions are of no help when the app maintainers neglect to incorporate security fixes into their versions of popular components.”

(The story was updated to include a statement from Facebook.)

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with

Back to top