At the 4th Tencent Security International Technology Summit (TenSec 2019), Tencent Security Cohen Lab released the “2018 Android Application Security White Paper” (hereinafter referred to as “White Paper”). The white paper shows that 98% of Android applications are safe. Risk, of which audio and video playback applications are the most risky.
The White Paper is based on Tenk Security Cohen Lab’s self-developed Android application automation vulnerability scanning system—ApkPecker. It selected 1404 app applications with a high download volume in 2018. The vulnerability scan found that over 98% of the applications have different types. The main causes of security risks include hidden dangers of system development, difficulty in monitoring vulnerabilities, insufficient lightning protection capability, and delay in repair management.
Among them, audio and video playback Android applications have the most security risks, followed by communication social and online shopping applications. Compared with other types of mobile applications, these three types of applications have rich product features and interactions, and have high user stickiness. Once the security risks are there, the magnitude and scope of the affected users will be much larger than expected.
According to the detection data of the Android application automation vulnerability scanning system-ApkPecker, the security risks faced by Android applications can be divided into application scenario exploits and service background vulnerability attacks. Among them, the “White Paper” shows that in this sample test for 1404 Android applications, the lack of user information privacy mechanism increases the security pressure of mobile applications. The resulting security incidents are frequently caused, which brings great harm to the user’s information account and funds.
At the same time, the White Paper also combines security risk triggering scenarios, focusing on data leakage, inter-component communication, and SDK, Native third-party vulnerabilities and other security risks frequently appearing in current mobile applications. Of the 1404 samples tested, 74% of the applications were at risk of denial of service attacks. The developer’s checksum exception handling of the external input data of the exposed component is the main cause of malicious security incidents between components. At the same time, it will increase the risk of combination of exploits and cause a large amount of information leakage.
Because mobile application developers directly call third-party libraries for application development, they do not pay attention to the security of their code. As a result, nearly 50% of the samples tested have SDK library vulnerabilities, and over 58% The application is threatened by the Native library vulnerability, which greatly increases the difficulty of APP security management. The fragmentation and difficult traceability features of the application will even lead to a vicious circle of security risks.