by Dr. Krisztina Pusok, director for research & public policy at the American Consumer Institute
It’s becoming easier than ever for consumers to unknowingly download potentially damaging applications onto their devices, risking the integrity of their personal information.
A new study by the American Consumer Institute shows that the widespread use of open source code to build popular apps is causing significant security vulnerabilities that, so far, haven’t attracted the attention they deserve.
Overall, more than 40,000 open source vulnerabilities have been reported in the past 17 years, with more than 14,000 new vulnerabilities identified in 2017 alone.
The report examines 330 of the most popular Android apps in the United States, including applications that were patched to resolve security weaknesses as well as those that were not. Leveraging a fingerprint-based binary code scanner from Insignary, each app was analyzed for open source code containing known, preventable security vulnerabilities. Of the initial sample, 105 apps (32 percent of the total) were found to contain vulnerabilities, with an average of 6 vulnerabilities per application.
Moreover, 43 percent of the vulnerabilities identified are considered high risk or critical by the National Vulnerability Database. Vulnerabilities are designated as “critical” when little knowledge or skill is required to exploit them and they can cause total loss of system protection. Critical vulnerabilities were most common in apps related to libraries and demo, entertainment, health, and fitness.
Across all severity levels, nearly 2,000 vulnerabilities were detected in 105 apps.
Open source’s widespread adoption by companies all over the world has made it easier for hackers to penetrate cyber-security barriers and gain access to personal data.
There are a few reasons for this.
According to a 2017 Blackduck report, open source is neither more nor less secure than custom code, but there are certain characteristics of open source that make its vulnerabilities particularly attractive to attackers. These characteristics include:
- Open source is widely used in commercial applications, providing attackers with a target-rich environment;
- Unlike some commercial software for personal computers and smartphones, where updates are automatically “pushed” to users, IoT devices and smartphones leverage a “pull” support model, where users are responsible for keeping track of vulnerabilities as well as fixes and updates for the software they use;[1]
- If an organization is not aware of all the open source used in its code, it cannot properly defend against common attacks targeting known vulnerabilities; and
- Hackers can more easily exploit known open source security vulnerabilities because they are publicly published on the CVE database, providing a roadmap for exploiting code.
The sheer number of applications containing open source code makes it a target-rich environment for anyone seeking to cause harm. Unfortunately, many of the companies and consumers who rely on open source are simply not aware of its vulnerabilities, leaving the door wide open for harmful intrusions.
So why do app creators choose to use open source code instead of more secure proprietary software? Simply because the open source code is more innovative, allows them to create products faster and at a lower cost. Proprietary software development is expensive and time-consuming, so companies are motivated to seek faster, more innovative and less expensive substitutes.
Despite growing concern over open source security, more companies are choosing to switch to open source code. London-based Skyscanner Ltd., for example, a travel search engine application that used to run on custom proprietary code, began using open source code a few years ago. State and local governments are also joining the trend.
As software’s role in our lives continues to grow, cyber attacks are becoming more sophisticated and consequential than ever before. Innovation in self-driving automobiles and medical devices, for example, is primarily built on a core of open source
Luke can be reached online at our company website https://www.northdoor.co.uk/
Until it becomes possible to robustly monitor the security of open source code and install patches automatically, more due diligence is needed from companies that use and market this software.
Even though open source is an essential element in application development today, companies that do not protect their software applications from known, open source vulnerabilities run the risk of disastrous consequences for both themselves and their customers. Evidence suggests that by examining enterprise and mobile device software for known, open source security vulnerabilities, and addressing them, prior to shipping the code, can help an organization to significantly reduce data loss and privacy intrusion for consumers and businesses.
With the total annual cost of cybercrime expected to reach $2 trillion in 2019, mitigating the risks associated with known, open source vulnerabilities are imperative.
About the Author
Dr. Krisztina Pusok is the director for research and public policy at the American Consumer Institute, a nonprofit educational and research organization. She is responsible for a wide variety of public policy issues, including technology and science issues. For more information about the Institute, visit www.TheAmericanConsumer.Org.