December 15, 2020
1166
0Android Apps: The dangers of Viber, Booking.com, and Edge
The low level of security is probably one of the best-known shortcomings of Android. It is generally assumed that Google does not control the software that gets into Google Play, ignores updates, and does not fix vulnerabilities that occur in its operating system at all.
However, Google’s main problem is the company’s inability, regardless of its fame or authority, to set strict rules and force those who can actually influence the security of Android to take some measures.
Previously, a fake Uniswap clone was spotted on Google Play. Therefore, we cannot guarantee the security of downloading any apps on Google Play.
It was discovered earlier in 2020 that users of Android apps were exposed to identity theft due to a vulnerability in the Play Core library. This is one of the key libraries used in software development. It is at the heart of most of the apps distributed through Google Play and enables them to interact with the catalog. It is based on Play Core, for example, that a dialog box with a request to evaluate app works without going to Google Play. It is also how app updates reach your phone.
Are you a fan of Pokémon GO? We’ve prepared an article that explains all the pitfalls of this app.
Dangerous Android apps
According to cybersecurity experts at Check Point, the total number of applications that use an outdated version of the Play Core library and can expose confidential data such as two-factor authentication codes and contribute to infection of benign software is about 8% of the total. Given the breadth of Google Play’s product range, it’s evident that this is quite a lot of vulnerable apps.
We will list only the most well-known applications affected by the described vulnerability:
- Viber
- Booking.com
- Aloha
- Walla! Sports
- XRecorder
- Moovit
- Hamal
- IndiaMART
- Edge
- Grindr
- Yango Pro
- PowerDirector
- OkCupid
- Teams
- Bumble
Note: Even top Google Play apps can be dangerous.
Even if you see the familiar names of popular apps, you can’t be certain it is the original app and not a fake one. This vulnerability even affects such well-known applications as the Viber messenger, the hotel booking service Booking.com, and Microsoft’s Edge browser. The susceptibility of these apps to malicious code can be really dangerous for you, your data, and your device.
Find your best chatting app.
Google Play Issues
Actually, the blame for the risk of these applications rests with developers who are in no hurry to update the Play Core library that is the basis of their products. Google can’t, on its own initiative, interfere with the content of a third-party app to fix a critical vulnerability if the developers refuse to fix it themselves.
However, Google may require developers to update their app libraries to fix critical vulnerabilities within 90 days.
But there is a moral conflict here. After all, the vulnerability that developers need to fix was not caused by them, but by Google, which also sometimes allows itself to delay the deadline for fixing bugs.
Therefore, it will be somewhat hypocritical to force the creators of software that is hosted on Google Play not only to fix the vulnerability but also to meet deadlines set by someone else.
Nevertheless, it makes perfect sense to require developers to fix vulnerabilities, even if they are indirectly caused by Google, within a reasonable time. After all, we are talking about the security of millions of users — and in this case, you just need to follow the rules by removing apps from Google Play that do not address the problem in a timely manner. As a result, developers will start to treat Google with respect, and users will have confidence in Android.
Check out How Secure Is Your App: Wickr vs. Signal vs. Utopia.
