the 2018 white paper on android application security released heavily: over 98% of android applications have security risks

Posted by tzul at 2020-02-26

With the increasing threat of mobile application security, such as malicious programs, tariff consumption, data disclosure, etc., the value of Android application security protection also continues to cause discussion within and outside the industry. At the fourth Tencent Security International Technology Summit (TenSec 2019) held on June 11-12, Tencent security Cohen laboratory released the 2018 Android application security white paper (hereinafter referred to as the white paper), in-depth analysis of the security risks and causes of Android applications, and put forward targeted solutions.

Based on apkpecker, an Android application automation vulnerability scanning system developed by Tencent security Cohen laboratory, the white paper selects 1404 app applications with high download volume in 2018, and conducts vulnerability scanning. It is found that over 98% of applications have different types of security risks, mainly due to system development hidden dangers, vulnerability monitoring difficulties, lack of lightning protection capacity, repair management lag, etc 。

It is suggested that the major application manufacturers should establish the security management of the whole product life cycle from app development to user interaction, and carry out real-time security risk detection and control to avoid unnecessary losses.

Over 98% of Android apps have security risks

The application risk of video and audio broadcasting is the highest

According to relevant data, nearly 50% of global app downloads in 2018 came from China. Mobile applications are increasingly connected with the public and various industries. However, the number of malicious programs on Android platform is also growing rapidly. According to the latest statistics of G data, from 2012 to the end of the third quarter of 2018, more than 3.2 million new malicious samples were found in Android system applications, with an average of more than 11000 per day. Under the influence of open source component security risks, development process vulnerability invasion, application cloning and other factors, the security threat represented by vulnerability has penetrated into the development of mobile applications and user interaction and other aspects, and become a constraint factor for the development of mobile application industry.

According to the white paper, Android applications like video and audio play have the most security risks, followed by communication, social networking and online shopping applications. Compared with other types of mobile applications, these three types of applications have rich product functions and interaction modes, and have high user stickiness. Once the security risk breaks out, the number and scope of users affected will be much larger than expected.

In terms of types of security risks, the number of denial of service vulnerabilities, implicit intent information disclosure and binary security risks is the largest, and the number of apps affected is also in the top three. Among them, more than 80% of mobile applications have the risk of implicit intent information disclosure. By taking advantage of these vulnerabilities that have been deeply penetrated into Android applications, attackers can kidnap user information, maliciously withhold and consume user fees, and even integrate multiple risks to form an attack link throughout the whole process of application development, shelves and user interaction, which is easy to trigger an application security crisis of up to 100 million level.

The safety risk of components still reaches 70%

Lack of security mechanism in development cycle is the main reason

According to the detection data of apkpecker, an automated vulnerability scanning system for Android applications, the security risks faced by Android applications can be divided into application scenario vulnerability exploitation, service background vulnerability attack and other parts. Among them, "white paper" shows that in the sample test of 1404 Android applications, the lack of user information confidentiality mechanism increases the security pressure of mobile applications. The frequent security incidents caused by this cause great harm to the user's information account and funds.

At the same time, combined with the triggering scenario of security risks, the white paper focuses on the detailed analysis of the security risks that frequently appear in current mobile applications, such as data leakage, communication between components, SDK, native third-party library vulnerabilities, and points out that 74% of the 1404 samples tested have the risk of denial of service attack. The verification and exception handling of external input data of open components by developers is the main cause of malicious security events of communication between components. At the same time, it will increase the risk of vulnerability combination utilization, resulting in more massive information leakage.

Because the mobile application developers did not pay attention to the security of their code when they directly called the third-party library for application development, nearly 50% of the applications tested had SDK library vulnerabilities, and more than 58% of the applications were threatened by native library vulnerabilities, which greatly increased the difficulty of APP security management, and the fragmentation, hard to trace characteristics even led to security risks The vicious circle of.

In addition, the risks such as platform, application, business logic and DDoS / cc attack on the mobile application background server are also important inducements for Android application security events. Therefore, the white paper points out that the security risks of mobile applications are not independent and separated from each other, and the trend of building a complete attack chain from multiple security risks is increasingly obvious. Android mobile application security needs the top-down common maintenance and defense practice of the entire industry closed-loop.

The white paper finally reminds major android app developers and app stores that the success of risk prevention is determined by the short board attack surface. Using static detection tools based on attack surface and building a security wind direction evaluation model throughout the whole life cycle of mobile applications is an effective way to effectively detect the risks of Android mobile applications and accurately prevent security threats. As a full-automatic Android application vulnerability scanning tool, apkpecker can output high-quality vulnerability scanning reports, accurately locate vulnerabilities and provide repair suggestions, so as to help mobile security personnel improve application security.

At the same time, based on the experience of mobile application penetration testing and the analysis and summary of cutting-edge attack modes, Tencent security Cohen lab also puts forward a security self-examination radar chart for mobile application static detection facing attack surface, which helps Android application developers master the real-time dynamic of security risks of mobile application static detection comprehensively, objectively and efficiently, so as to break through the high false alarm of security detection Rate bottlenecks provide benefits.

On this basis, Tencent security Cohen laboratory will continue to open core security technologies and capabilities, and contribute to the security and health development of digital transformation and transformation in various industries.

Scan the QR code below or click "read original" to get the original white paper

To be careful

Apkpekcer website:

Selection in the past

13 June 2019

IOT, cloud security, virtualization What did international security geeks talk about in Shanghai beach?

Hardcore geek x art, we had a cool meeting in Shanghai

Tctf 2019 ends successfully! R3kapig team won the international championship