Some developers haven't updated a crucial library inside their mobile apps on Android. Among the vulnerable applications is the Edge browser, Grindr, OkCupid, or Teams.
About 8% of Android apps available on Google's official store are vulnerable to a security breach in a popular Android library, according to an analysis carried out this fall by security firm Check Point.
The vulnerability lies in older versions of Play Core, a Java library provided by Google, which developers can integrate into their applications to interact with the official Play Store portal. The Play Core library is very popular because it can be used by developers to download and install updates hosted on the Play Store, add-ons, language packs, or even other apps.
Earlier this year, security researchers from Oversecured discovered a major vulnerability (CVE-2020-8913) in the Play Core library. If malware had been installed on a user's device, the user could have abused this flaw to inject malicious code into other applications and steal sensitive data such as passwords, photos, and more, such as we can see it on the video demonstration below:
The Launched patchGoogle fixed this vulnerability in March but, according to new findings released by Check Point, not all developers have updated the Play Core library that comes with their apps, leaving their users exposed to simple attacks that can lead to theft of data.
According to an analysis by Check Point in September, six months after a patch was released for the Play Core, 13% of all apps in the Play Store were still using this library, but only 5% were using an updated version. (I.e. secure), the rest leaving users vulnerable to attack.
Among the applications that have updated this library, we can mention Facebook, Instagram, Snapchat, WhatsApp, and Chrome. However, many other apps haven't.
Belated applicationsAmong the apps with the largest user base that weren't updated, Check Point listed apps like Microsoft Edge, Grindr, OkCupid, Cisco Teams, Viber, and Booking.com. Check Point researchers AviranHazum and Jonathan Shimonovich say they notified all apps they found vulnerable to attack via CVE-2020-8913. But, three months later, only Viber and Booking.com took the trouble to correct their applications after being alerted.
"As our demonstration video shows, this vulnerability is extremely easy to exploit", point out the two researchers. Just create a "hello world" application that calls the exported intent in the vulnerable application to push a file into the verified files folder with the traversal path of the file. Then all you have to do is sit back and wait for the magic to happen. "
This study shows once again that while users are running an updated version of their applications, it does not necessarily mean that all internal components of an application are also up to date, as software supply chains are often in disarray even in some of the largest software and technology companies in the world.