Here’s why updating apps may not always keep your Android phone safe - Times of India
If you think using the latest Android version and keeping all your apps updated will keep your Android phone safe from malware attack then you may be wrong. According to a report by Check Point Research, long-known vulnerabilities may persist even in apps recently published on Google Play store.
“If you have a mobile device, you know how important it is to keep the core operating system and all installed apps up to date. It comes as a shock to discover that these precautions are of no help when the app maintainers neglect to incorporate security fixes into their versions of popular components. Keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task, and it’s no surprise that few maintainers are willing to expend the effort,” said Slava Makkaveev of Check Point Research.
Mobile apps typically use dozens of reusable components written in a low-level language such as C. These components, called native libraries, are often derived from open-source projects, or incorporate fragments of code from open-source projects. When a vulnerability is found and fixed in an open-source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using these native libraries, it explained.
This is how an app may keep using an outdated version of the code even years after the vulnerability is discovered. It may be overstating matters a bit to declare such an app vulnerable, as its flow may never reach the affected library code, but it certainly warrants an in-depth investigation by the app maintainers.
“To verify our hypothesis that long-known vulnerabilities may persist even in apps recently published on Google Play, we scanned them for known patterns associated with vulnerable versions of open-source code. We found that three vulnerabilities of critical severity (Arbitrary Code Execution) from 2014, 2015 and 2016 still exist in hundreds of popular Android apps, including Yahoo Browser, Facebook, Instagram and WeChat," Makkaveev added.
Source: Times Of India