Majority of Mobile App Vulnerabilities From Open Source Code

COVID-19 has impacted everything over the past year, and mobile app security is no exception. The Synopsys Cybersecurity Research Center (CyRC) took an in-depth look at application security, and discovered just how vulnerable apps that use open source code really are. According to the report, 98% of apps use open source code, and 63% of those apps have at least one known vulnerability.

Open source code is no more or less vulnerable than any other code, Jonathan Knudsen, senior security strategist with Synopsys, was quick to point out in an email interview. The prime security task for any organization that uses open source code is how to manage the code correctly.

“The report underscores, among other things, that managing security vulnerabilities in open source software components is a very real problem,” Knudsen said. The challenge lies in the self-service nature of open source use. With no commercial vendor to push out updates and patches, it then becomes the responsibility of the developers and the business to evaluate and monitor for security risks and come up with a strategy for the inevitable security problems.

Adoption of Open Source

Developers turn to open source because it helps them code 20 to 30 times faster than writing their own from scratch; getting a mobile application into the marketplace quickly is a top priority. This need to move fast has created a dependency on open source. It has also led to the prioritization of development over security in many IT organizations just to remain competitive in the market.

“To stay competitive, software development teams must figure out how to write code quickly, while not sacrificing security to create value and preserve competitive advantage for their organizations,” said Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber. Until that happens, open source will continue to be the go-to code.

Finding the Vulnerabilities

Code audits to detect vulnerabilities are easier to do on open source software, which is both a blessing and curse; threat actors and well-intentioned developers both have equal access to the code.

“Ethical hackers may look at well-maintained open-source projects and quickly identify and report vulnerabilities to help them get patched,” said Hank Schless, senior manager, security solutions at Lookout. “Threat actors may observe the code, find a vulnerability, and figure out how to exploit it as quickly as possible.”

On the other hand, Schless added, closed source or first-party code can encounter the same maintenance issues. “While the quality of both open and closed source code varies, switching from open to closed source code might mean swapping known vulnerabilities for unknown vulnerabilities.”

A More Secure Mobile App

When open source code is used, it often comes with its own list of other open source solutions that are necessary for functionality. This transitive dependency can be layers deep and create a snowball effect of adding hundreds or more. One open source project can end up including hundreds of layers and dozens of possible vulnerabilities. Because of this, you can never trust or test one layer and think everything is fine. Every layer must be tested and updates and patches regularly checked.

Software composition analysis (SCA) is a type of security testing that automates much of the work of identifying used software components, correlating known vulnerabilities and raising alerts when new vulnerabilities are identified,” said Knudsen.

Managing the open source components of an application is important, Knudsen added, but it is far from the end of the story.

“Applications will only get safer when they are built better with a comprehensive, proactive approach to security. This means incorporating security into every phase of software development, from design through implementation, testing and maintenance. Automated security testing is useful at multiple phases, and includes SCA, static analysis, fuzzing and other types of dynamic testing.”

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba