Beware the Ides of Third-Party
The usage of third-party libraries in mobile application development is common. It provides a reduction in person-hours with respect to creating one’s own libraries for the same task. It allows rapid software development due to code reuse and provides less cost. However, vulnerabilities within these third-party libraries can have a cascading effect which, in the worst-case scenario, leads to the compromise of the mobile device of a user. Adding the vulnerabilities of third-party libraries to the vulnerabilities generated from coding one’s own application increases the attack surface of the application.
It is quite common (even though, a bad habit) for developers to use third-party libraries without first checking for their vulnerabilities, and whether they have been mitigated, before using them. The consequences, need I mention, can lead to access to the confidential information, of the user of their applications, by an adversary. These can also turn into potential lawsuits depending on the scale of the damage.
There was a third-party library, that I used to use back in the day called Retrofit[1] which made parsing of REST APIs (application program interfaces) extremely easy. I had not known that there were vulnerabilities (CVE-2018-1000850[1]) with that library until I decided to look up the CVE (Common Vulnerabilities and Exposure) repository and there were some that existed.
A popular third-party library called Mozjpeg, which is used by Instagram as their JPEG format encoder, has a vulnerability (CVE-2020-1895) found by Check Point Research [3]. The attacker sends the malicious image via any messaging platform and when opened by the user in the Instagram application, the exploitation takes place. Facebook has successfully fixed that vulnerable.
These two scenarios were presented just to highlight the fact that it does not matter what scale your application is, ensuring that your third-party libraries are always up to date and secure is always of prime importance. Open Web Application Security Project (OWASP) states that outdated third-party libraries are three times more probable to include vulnerabilities [4].
Reference
[1] Square. Retrofit. https://square.github.io/retrofit. Online
[2] National Vulnerabilities Database. CVE-2018-1000850 Detail. https://nvd.nist.gov/vuln/detail/CVE-2018-1000850. Online
[3] Check Point Research. #Instagram_RCE: Code Execution Vulnerability in Instagram App for Android and iOS https://research.checkpoint.com/2020/instagram_rce-code-execution-vulnerability-in-instagram-app-for-android-and-ios. Online
[4] OWASP. A9:2017-Using Components with Known Vulnerabilities. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities. Online
