I spoke to a technology vendor at BlackHat last week who’s entire pitch was to track which software components are used in apps and flag when they need updating. Looks like very few app developers are actually using anything like that…:
[…] According to the research at Check Point, there is one key reason why these security vulnerabilities are so widespread in Android apps: app developers tend to copy code from vast code libraries so that they are not “reinventing the wheel” every time they build a new app. Security flaws lurking within these code libraries are then transferred to the Android apps using specific pieces of code from these libraries.
Complicating matters further is the fact that much of this code is coming from open source projects, where there is no clear owner of the code – and, thus, nobody to take responsibility for patching the code when security vulnerabilities are discovered. How security flaws are fixed in an open source project can vary widely. That would help to explain how known security flaws dating back to the period 2014-2016 are still showing up in thousands of Android apps. As Check Point noted in a mid-November Threat Intelligence Report: “This [situation] is cause by failure of app maintainers to incorporate security fixes made in open source sub-components into new versions of popular applications…”