Home Android’s Most Popular Apps Are Lousy With Bugs, Researchers Find

Android’s Most Popular Apps Are Lousy With Bugs, Researchers Find

About half of the 50 most popular Android apps have vulnerabilities, and the reckless reuse of code libraries is the blame, according to the researchers who uncovered  the Heartbleed security bug.

Codenomicon, the IT research firm first to publish its findings about an OpenSSL vulnerability and dubbed it “Heartbleed,” reports that Android app developers often aren’t aware of the bugs they’re propagating when copying code from third party libraries.

See also: Post-Heartbleed, Open Source Gets A New Security Attitude

The company will reveal the details of its findings—including the compromised Android apps—at the Black Hat USA security conference Aug. 6-7 in Las Vegas. (Codenomicon did not return ReadWrite’s request for comment.)

Why Recycled Code Makes Sense

The first rule of programming is to not reinvent the wheel. As a result, many developers recycle open source software solutions to perform their cryptosecurity for them. According to Chester Wisniewski, a Senior Security Advisor at Sophos, it makes less sense to do it themselves.

Most app builders intent on building a cool have don’t have the remotest idea how to make a   cryptographic library, Wisniewski told ReadWrite. “App builders depend on shared code because every coder can’t be familiar with every type of code in the world.”

When app builders do try to create new code, they often create new holes, Wisniewski said, pointing to WhatsApp, the chat app Facebook is acquiring for $1 billion. When WhatsApp developers initially tried to create their own cryptocode, their lack of security knowledge left the chat app compromised in increasingly new and alarming ways.

“The flaw in OpenSSL, while scary, didn’t result in anything bad happening,” said Wisniewski. “The IT community came together quickly. The alternative [to open source software] is 25 different kinds of brokenness like with WhatsApp.”

Reaching A Compromise

Creating one’s own cryptographic library is much more work than using recycled code, with even less effective results. So that’s probably not what Cryptonomicon will suggest when it presents its findings at Black Hat.

Instead, Cryptonomicon’s chief security specialist, Olli Jarva, told ITnews that he advises developers not to see open source as a “free lunch.”

“We have to take care to test well enough the libraries we use so we can be confident they are safe enough to be used,” he said.

In other words, developers ought to not only be familiar with the libraries they’re implementing; they also should keep them up to date and continue to patch them. Which they have little incentive to do, bitterly writes programmer Marco Arment of the Apple App Store:

“Top lists reward apps that get people to download them, regardless of quality or long-term use, so that’s what most developers optimize for… Quality, sustainability, and updates are almost irrelevant to App Store success.”

Assuming the best of intentions on the part of developers, one solution might be to use smaller, lighter libraries. It’s inevitable that the more code you use, the more bugs you get. Wisniewski suggested that most app developers can opt out of OpenSSL in favor of lighter cryptography libraries like Google’s BoringSSL.

“OpenSSL is a jack of all trades that provides a lot of services,” he said. “When you only need one tiny secure connection to a website in your app, you don’t need that giant lump of code. All of a sudden you’re getting all these vulnerabilities for features you’re not even using. Choose slimmer, lighter libraries for only what you need; don’t throw in everything but the kitchen sink.”

Photo by Matt Waddell

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.