Codenomicon, the security firm which discovered the infamous Heartbleed vulnerability, has warned that almost half of the top 50 Android apps have serious flaws because they reuse source code libraries.
The Finnish firm evaluated the most popular apps on the Google Play store and found some worrying results.
It said 10% of the apps sent IMEI or location data to a third party and one in ten connected to more than two ad networks.
Further, virtually half of those top 50 apps send the user ID to third-party ad networks, while a third transmit private data in plain text, according to HotHardware.
The problem appears to be the reuse of code libraries, many of which contain flaws. Developers look to save time and money by using these repositories to build customized content.
The problem is that if the code already has vulnerabilities, those same flaws will be introduced to the new apps.
A simple sandboxing test before said app is uploaded will apparently spot such vulnerabilities.
An alternative theory, however, is that some of the developers deliberately introduced functionality into their apps designed to send private information to third parties such as ad networks. This kind of info could net them a nice little profit on the side.
Tim Erlin, director of security and risk at Tripwire, argued that it’s not only portable, re-usable code libraries that are lowering barriers to entry for developers and start-ups.
“Tools like Apache’s HTTPD and Tomcat projects, the BIND DNS application, and, yes, OpenSSL have been adopted and embedded by major corporations, allowing them to spend precious development resources on other innovations instead of building their own proprietary wheel,” he added.
“Android, a kind of open source operating system itself, has done the same for the mobile device market. The downside of all this sharing is that any problems, weaknesses or vulnerabilities are shared as well. We saw this with the ‘Heartbleed’ vulnerability; its pervasiveness is just the underbelly of a high adoption rate for OpenSSL.”