Enero 4, 2020

No app is an island: The malware dangers of libraries and APIs

Joel Snyder

Every application depends on other software to work. It’s not just the operating system, but an entire ecosystem of libraries and Application Programming Interfaces (APIs) that speed the process of developing and delivering all modern applications. From a software developer’s point of view, the wide variety of libraries and packages available is an amazing accelerator. It’s code that doesn’t have to be written and debugged and maintained because someone out there is already doing that work. But it can also be an accelerator for malware.

For example, let’s suppose you need to know how many hours are between two dates. If you’re a programmer, you can definitely figure this out. First, you convert the date (like “January 16, 1964”) to some standard format. Do the other date, and then subtract the two. The answer might be in seconds, so you’d divide that by 3600, and boom, there’s your answer. Except that we’re now talking about thousands of lines of software to do all of that work.

Or, you can take the easy way out: Find a library with some time-and-date API you can call to hand over a couple of dates and do the subtraction. That’s not just easy — it’s actually better, because you can use a library that has been tested and debugged and is based on hundreds of hours of someone else’s work, probably doing an excellent job at solving the problem.


Do APIs pose security risks?

For an IT manager, though, this style of software development comes with increased complexity and security risks. Why? Because when you install an application from developer X, you aren’t just installing software from X. You’re also installing libraries and APIs from A, B, C, D, E and F. And that can bring potential problems. First, each of these libraries and APIs may have bugs that can open the door to system compromise and security failure.

Second, the libraries and APIs are generally large compared to the amount of code that is actually needed. For example, a date-time library has more than 100 functions in it. And even if only one of those functions is needed, the entire library is loaded when even one of the routines is ever called. More code equals more potential for security problems.

It’s not just a theoretical problem. In October 2019, security researchers discovered that WhatsApp was using a library called “libpl_droidsonroids_gif.” That library has a memory allocation error in it (called a “double-free” bug). Combining that bug with a complementary bug in WhatsApp, and the researchers discovered several small holes that can be used to compromise Android versions 8.1 and 9.0.


What can be done about it?

Is this a problem? What can an IT manager actually do about these libraries that are hitchhiking on their applications? The unfortunate answer is, “not much.” But there are some things to keep in mind when users want to install applications on their mobile devices.

  1. Just because the software developer is trusted and trustworthy doesn’t mean that the entire software supply chain is uncompromised. Treat every application, even ones from trusted vendors, as a potential security problem. Tools such as Android for Work and Knox Platform for Enterprise help to isolate applications and data, reducing the risk when security is compromised.

  2. Use your Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) tools to control application installation. For example, restricting application installations to the Google Play Store or requiring that Google Play Protect be enabled can help reduce the risk of malware making a beachhead on your mobile devices.

  3. Using approved application lists is a radical step, but in high-security environments or those where the costs of compromise are very high, it may be the right step — again, managed through your MDM/EMM tools.

  4. Remove applications, especially applications that are not being regularly updated, from your mobile devices when they are not being used. If someone loads a car rental app on their mobile device because they want to rent a car, that’s fine. But if that’s a one-off and they normally use a different rental car agency, get rid of that application.

  5. If you’re also developing applications, encourage your development team to work with native Android APIs rather than third-party libraries. That’s not a promise that API compromise won’t happen, but it means you’re traveling a broader road with many more application developers, and many more eyes are looking at that code — which usually speeds security updates.

Today’s mobile device landscape is dotted with security landmines, and businesses and their employees can never be too cautious about what’s happening inside smartphones or tablets. See how Samsung Knox can help you navigate this landscape.

[Ícono] cerrar

Comenzar con Samsung Knox

[Ícono] maletín
¿Es un distribuidor, un proveedor de soluciones o un proveedor de servicios?

Conviértase en socio de Knox y haga crecer su empresa hoy mismo.

[Ícono] información

Seleccione un producto Knox para comenzar:

Paquete todo en uno
Knox Suite
Cambios de marca y personalización
Knox Configure
Protección contra el fraude y el robo
Knox Guard
Plan de protección de dispositivos
Samsung Care+ for Business
Otros productos y servicios

Comience con

[Imagen] Knox Suite

Paquete de soluciones todo en uno para ofrecer movilidad empresarial.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Un conjunto completo de herramientas para proteger, implementar, administrar y analizar los dispositivos corporativos.
  • Pruebe funciones potentes incluidas en el paquete de Knox Suite.

Knox Suite incluye lo siguiente:

Knox Mobile Enrollment Gratuita
Knox Manage
Knox Asset Intelligence
Knox Platform for Enterprise Gratuita
Soporte remoto de Knox
Knox Capture
Knox Authentication Manager

Comience con

[Imagen] Logotipo de Knox Configure

Personalice sus dispositivos Samsung y cámbieles la marca.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Configure de forma remota los dispositivos Samsung en masa y personalícelos según las necesidades específicas, desde el primer momento.
  • Configure sus dispositivos para una implementación de una sola vez o actualícelos cuantas veces quiera.

Comience con

[Ícono] Logotipo de Knox Guard

Protección contra el fraude y el robo para dispositivos Samsung.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Reduzca los riesgos financieros y proteja los activos mediante el control remoto de dispositivos Samsung.
  • Pruebe todas las funciones de Knox Guard, incluidos el control de SIM y el bloqueo de dispositivos.

Comience con

[Imagen] Logotipo de Samsung Care Plus For Business

Planes de protección de dispositivos para dispositivos Samsung.

  • Limite las interrupciones empresariales con reparaciones y reemplazos de dispositivos rápidos. Comuníquese con el equipo de ventas de Samsung para comenzar.
  • Vea toda la cobertura para dispositivos e información de reclamaciones en un solo lugar.
  • ¿Ya compró Samsung Care+ for Business? Cree una cuenta y active su plan en la consola Samsung Care+ for Business.

Otros productos y servicios

[Imagen] Otros logotipos

Soluciones modernas para abordar sus necesidades únicas.

  • Obtenga soporte técnico eficiente de un administrador de cuentas dedicado con el Soporte técnico empresarial.
  • Cree dispositivos a medida para su empresa mediante Samsung Software Customization Service.