In aggregate, the 10 apps analyzed have over 21.5 million downloads from the Google Play Store. For perspective, these apps have been downloaded by as many people as the population of metropolitan São Paulo.
- Average number of components per app: 125
- Average number of vulnerable components per app: 10
- Average number of vulnerabilities per app: 179
Despite evidence of active development, many of the apps we analyzed use outdated open source components with their associated known vulnerabilities. In the software world, two or three years is a long time; in the apps we analyzed, we found open source components dating back to 2010.
Known vulnerabilities in open source components are not necessarily exposed in the app. However, risk increases with the age of the components and the number of known vulnerabilities. Furthermore, outdated components are an indication that development teams are not managing their open source dependencies, which could be an indication that they are not handling security well in general.
The sports and betting apps we analyzed scored significantly worse than the average numbers we encountered in our 2021 report, “Peril in a Pandemic.” In that research, we examined 3,335 apps and found the following:
- Apps with vulnerable components: 63% (in this analysis, 100%)
- Average number of vulnerabilities per app: 39 (in this analysis, 179)
Are these apps safe to use? Some development teams are doing better than others at managing their open source dependencies. Consumers, unfortunately, do not have this visibility and must hope that app developers and app stores will improve their security processes. If we can do this type of analysis, app stores can do this type of analysis.
Setting a bar for vulnerabilities in software components, even a low bar, would improve the security of apps that are permitted in app stores. This would drive down risk for consumers, for app developers, and for the entire ecosystem.