Identify vulnerabilities in third-party software libraries

Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. [1] [2] [3]

ID: T1389

Tactic: Technical Weakness Identification

Version: 1.0

Detection

Detectable by Common Defenses (Yes/No/Partial): Partial

Explanation: Open source software has great appeal mostly due to the time savings and that it is free. However, using this code without assessing it's security is akin to blindly executing third party software. Companies often do not dedicate the time to appropriately detect and scan for vulnerabilities. The mainstream mobile application stores scan applications for some known vulnerabilities. For example, Google's Android Application Security Improvement Program identifies and alerts developers to vulnerabilities present in their applications from use of the Vungle, Apache Cordova, WebView SSL, GnuTLS, and Vitamio third-party libraries. However, these scans are not likely to cover all vulnerable libraries, developers may not always act on the results, and the results may not be made available to impacted end users of the applications.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Developers commonly use open source libraries such that where an adversary can easily discover known vulnerabilities and create exploits. It is also generally easy to decompile arbitrary mobile applications to determine what libraries they use, and similarly use this information to correlate against known CVEs and exploit packages.

References

  1. John Lipsey. (2015, March 25). 15,435 Vulnerabilities in Close to 4,000 Applications in 2014. Retrieved April 12, 2017.
  2. Google. (2016, April). Android Security 2015 Year In Review. Retrieved April 12, 2017.
  1. Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved April 12, 2017.