The American Consumer Institute Center for Citizen Research (ACI), a non-profit consumer education and research organization, has released a study — “How Safe Are Popular Apps? A Study of Critical Vulnerabilities and Why Consumers Should Care.” After an extensive examination by ACI of the 330 most popular Android apps on the Google Play Store for known, open source software vulnerabilities, the report concludes that businesses and consumers are at risk of losing key data or having their privacy compromised.
“Open source software components are in more than 90% of all software in use today. Hackers like to exploit known, open source software vulnerabilities because of their widespread use by apps providers. Because vulnerabilities are published on readily accessible databases and are not always updated in commonly used apps, hackers have a roadmap to game access to consumers’ and businesses’ privacy,” said Steve Pociask, President of the American Consumer Institute. “Our study found that one-third of the most popular Android apps contained multiple security vulnerabilities – many of them critical. Apps from trusted brands including Wells Fargo, Bank of America, the NFL, Sephora, McDonalds, Instagram and Snapchat, among many others, could put businesses and consumers at risk, if left unpatched for known vulnerabilities. We are calling on all apps developers to redouble their efforts to find vulnerable code and to use the latest patches to plug these security holes.”
The study highlights the complacency that many apps providers have in keeping their software adequately protected against known, open source vulnerabilities. These vulnerabilities leave consumers, businesses and governments open to attacks by hackers with potentially disastrous results.
About the Study
During the first week in August of 2018, ACI’s research team used a binary code scanner to examine the APK files of the 330 most popular apps on the Google Play Store. The team selected the 10 most popular apps in each of the 33 main Android app categories. The study finds that the widespread use of unpatched open source code in popular apps is causing significant security vulnerabilities:
- Of the sample of 330 apps, 32 percent or 105 apps were found to have security vulnerabilities with an average of 19 vulnerabilities per identified apps;
- Among the sample, 1,978 vulnerabilities were found across all severity levels with 43 percent of the found were deemed as high risk or critical; and
- Critical vulnerabilities were found in many common applications, including some of the most popular banking, event ticket purchasing, sports and travel apps.
According to the study, more effective governance is critical to addressing “threats such as compromised consumer devices, stolen data, and other malicious activity including identity theft, fraud or corporate espionage,” which are increasingly taking center stage. it is recommended that Android app developers scan their binary files to ensure that they catch and address all known security vulnerabilities. The study also stresses the urgency and need for apps providers to develop best practices now that to reduce these risks and prevent a backlash from the public and policymakers.
This release is followed by a Hill event hosted by the American Consumer Institute on September 12, 2018 that invites an expert panel to discuss the new study and the privacy challenges throughout the Internet ecosystem.
A full copy of the study is available online at www.theamericanconsumer.org.