About half of the 50 most popular Android apps have vulnerabilities, and the reckless reuse of code libraries is the blame, according to the researchers who uncovered the Heartbleed security bug.
Codenomicon, the IT research firm first to publish its findings about an OpenSSL vulnerability and dubbed it “Heartbleed,” reports that Android app developers often aren’t aware of the bugs they’re propagating when copying code from third party libraries.
The company will reveal the details of its findings—including the compromised Android apps—at the Black Hat USA security conference Aug. 6-7 in Las Vegas. (Codenomicon did not return ReadWrite’s request for comment.)
Why Recycled Code Makes Sense
The first rule of programming is to not reinvent the wheel. As a result, many developers recycle open source software solutions to perform their cryptosecurity for them. According to Chester Wisniewski, a Senior Security Advisor at Sophos, it makes less sense to do it themselves.
Most app builders intent on building a cool have don’t have the remotest idea how to make a cryptographic library, Wisniewski told ReadWrite. “App builders depend on shared code because every coder can’t be familiar with every type of code in the world.”
When app builders do try to create new code, they often create new holes, Wisniewski said, pointing to WhatsApp, the chat app Facebook is acquiring for $1 billion. When WhatsApp developers initially tried to create their own cryptocode, their lack of security knowledge left the chat app compromised in increasingly new and alarming ways.
“The flaw in OpenSSL, while scary, didn’t result in anything bad happening,” said Wisniewski. “The IT community came together quickly. The alternative [to open source software] is 25 different kinds of brokenness like with WhatsApp.”
Reaching A Compromise
Creating one’s own cryptographic library is much more work than using recycled code, with even less effective results. So that’s probably not what Cryptonomicon will suggest when it presents its findings at Black Hat.
Instead, Cryptonomicon’s chief security specialist, Olli Jarva, told ITnews that he advises developers not to see open source as a “free lunch.”
“We have to take care to test well enough the libraries we use so we can be confident they are safe enough to be used,” he said.
In other words, developers ought to not only be familiar with the libraries they’re implementing; they also should keep them up to date and continue to patch them. Which they have little incentive to do, bitterly writes programmer Marco Arment of the Apple App Store:
“Top lists reward apps that get people to download them, regardless of quality or long-term use, so that’s what most developers optimize for… Quality, sustainability, and updates are almost irrelevant to App Store success.”
Assuming the best of intentions on the part of developers, one solution might be to use smaller, lighter libraries. It’s inevitable that the more code you use, the more bugs you get. Wisniewski suggested that most app developers can opt out of OpenSSL in favor of lighter cryptography libraries like Google’s BoringSSL.
“OpenSSL is a jack of all trades that provides a lot of services,” he said. “When you only need one tiny secure connection to a website in your app, you don’t need that giant lump of code. All of a sudden you’re getting all these vulnerabilities for features you’re not even using. Choose slimmer, lighter libraries for only what you need; don’t throw in everything but the kitchen sink.”
Photo by Matt Waddell