CyRC special report: Secure apps? Don’t bet on it

With the Super Bowl approaching in the U.S., the Synopsys Cybersecurity Research Center (CyRC) set out to evaluate the 10 most popular Android sports and betting apps through the lens of supply chain security. We used Black Duck® Binary Analysis (BDBA) to examine the open source components used in these apps.

Executive summary

In aggregate, the 10 apps analyzed have over 21.5 million downloads from the Google Play Store. For perspective, these apps have been downloaded by as many people as the population of metropolitan São Paulo.

• Average number of components per app: 125
• Average number of vulnerable components per app: 10
• Average number of vulnerabilities per app: 179

Despite evidence of active development, many of the apps we analyzed use outdated open source components with their associated known vulnerabilities. In the software world, two or three years is a long time; in the apps we analyzed, we found open source components dating back to 2010.

Known vulnerabilities in open source components are not necessarily exposed in the app. However, risk increases with the age of the components and the number of known vulnerabilities. Furthermore, outdated components are an indication that development teams are not managing their open source dependencies, which could be an indication that they are not handling security well in general.

The sports and betting apps we analyzed scored significantly worse than the average numbers we encountered in our 2021 report, “Peril in a Pandemic.” In that research, we examined 3,335 apps and found the following:

• Apps with vulnerable components: 63% (in this analysis, 100%)
• Average number of vulnerabilities per app: 39 (in this analysis, 179)

Are these apps safe to use? Some development teams are doing better than others at managing their open source dependencies. Consumers, unfortunately, do not have this visibility and must hope that app developers and app stores will improve their security processes. If we can do this type of analysis, app stores can do this type of analysis.

Setting a bar for vulnerabilities in software components, even a low bar, would improve the security of apps that are permitted in app stores. This would drive down risk for consumers, for app developers, and for the entire ecosystem.

Using open source components allows development teams to quickly bring their software to market, but the open source components must be properly managed to minimize risk. The components themselves can have vulnerabilities that might be exposed in the application.

A doughnut hole inside a doughnut hole

Unfortunately, the full structure is more complicated. Each open source component can itself be assembled from other open source components. A single application’s dependencies, instead of being a neat list, are more like a network or a hierarchy.

Open source components used by the containing software are dependencies, and the open source components used by the dependencies are transitive dependencies.

About Black Duck Binary Analysis (BDBA)

Black Duck Binary Analysis is a software composition analysis (SCA) tool. Like any SCA tool, BDBA identifies the open source components used in an application, and then lists the known vulnerabilities and software licenses of those components. SCA is just one important part in managing software supply chain risk.

Most SCA tools examine the source code of an application to determine its dependencies. A variety of matching techniques are used as appropriate. The tool might look at the source code itself, or examine package manifests such as Maven files or NPM package lists, or it might compare file hashes for already compiled components.

Determining dependencies can be challenging. Software build scripts sometimes retrieve open source components during the build. Furthermore, components might be incorporated as source code or as compiled executables or shared libraries.

BDBA is unique in that it examines executable files; no source code is required. This makes it perfect for examining commercial apps when source code is unavailable. Furthermore, BDBA easily finds both direct dependencies and transitive dependencies.

Method

We searched the Google Play Store for sports betting apps and then compiled a list of all apps with more than 500K downloads. This yielded a list of 11 apps. We then eliminated one from the list as being more of a game than an actual betting app. For the remaining 10, we obtained the packaged apps (as APK files) from APKPure. We analyzed each app’s APK file using BDBA.

We performed the download and analysis twice, once on December 9, 2022, and again on January 20, 2023.

Clearly, these apps are under active development, as all but one released at least one new version in the 42 days between the two analyses. The discussion below is based on the analyses from January 20, 2023.

We deliberately chose to present results and analysis without naming specific apps. Highlighting potential vulnerabilities in specific apps is irresponsible and would only serve to focus attackers’ attentions on potential attack vectors.

We present this research in the hopes that it will encourage development teams to be vigilant about their supply chain and help consumers understand the complexities of software and apps.

The average number of components per app is 125, with an average of 10 components with known vulnerabilities.

A few aggregate findings stood out in this category.

• Eight apps request permission for coarse and fine location access. This probably makes sense, because apps that support betting functionality are likely to need the user’s physical location in order to comply with jurisdictional laws.
• The same set of eight apps also requested access to the camera.
• Four apps requested access to record audio.

Sensitive permissions like camera access and recording audio might make sense in the context of an app’s functionality. Nevertheless, careful users should be skeptical about the permissions requested by an app and why they might be necessary.

In the remainder of this blog post, we’ll examine the software components of five apps (again, without naming them) and discuss the interesting security findings.

sqlite3 was packaged into a shared library, libtdm-5.4-73-jni.so, which is available for different processor architectures inside the app’s APK file. We don’t know the origin of libtdm-5.4-73-jni.so—it could be commercially available or created by another team. Regardless, a very old version of sqlite3 is built into it, making sqlite3 a transitive dependency of app A.

So although app A’s development team appears to be managing direct dependencies well, it missed a transitive dependency that could be exposing the app to multiple security vulnerabilities.

App B is incorporating an older version of SkiaSharp, which has a cascade of older transitive dependencies and a deluge of their associated known vulnerabilities.

Components this old clearly show that the development team does not have visibility into its own SBOM and is not taking steps to keep components up-to-date or minimize known vulnerabilities.

This does appear to be a legitimate Amazon Web Services (AWS) key. However, this particular type of key (prefixed with ASIA) is supposed to be short term and also requires a session token in order to be useful. Our further analysis of the app concluded that either the session token was missing or the key had already expired.

Nevertheless, leaving secrets like this inside a packaged and deployed app is almost certainly a mistake, and the development team for app D should be reviewing its source code and build pipelines for this type of leakage.