security flaws in its app.IT research firm Codenomicon found that bugs in about 25 of the top 50 Android apps are originating from third party libraries that are used by many developers. The practice is quite common, because it allows developers to easily add more advanced functionality to apps, like security features coming from third party cryptographic libraries. It is impossible for any developer to be masters of all types of code, so shared libraries make everything easier. However, if those shared libraries contain errors, those will cause bugs that can propagate quickly as others simply copy-and-paste that code into apps. Chester Wisniewski, a Senior Security Advisor at Sophos, explained the issue by noting an example where WhatsApp tried to build its own cryptocode without the proper understanding of how to do so, and ended up with quite a lot of
Codenomicon is planning to present its findings in more detail at the upcoming Black Hat security conference, scheduled for August 6th and 7th. The hope is to get consensus on ways to better test third party libraries, and make developers aware that those libraries need to be kept up to date and patched both in code hosting services like GitHub, and in apps as well.