Gennaio 4, 2020

No app is an island: The malware dangers of libraries and APIs

Joel Snyder

Every application depends on other software to work. It’s not just the operating system, but an entire ecosystem of libraries and Application Programming Interfaces (APIs) that speed the process of developing and delivering all modern applications. From a software developer’s point of view, the wide variety of libraries and packages available is an amazing accelerator. It’s code that doesn’t have to be written and debugged and maintained because someone out there is already doing that work. But it can also be an accelerator for malware.

For example, let’s suppose you need to know how many hours are between two dates. If you’re a programmer, you can definitely figure this out. First, you convert the date (like “January 16, 1964”) to some standard format. Do the other date, and then subtract the two. The answer might be in seconds, so you’d divide that by 3600, and boom, there’s your answer. Except that we’re now talking about thousands of lines of software to do all of that work.

Or, you can take the easy way out: Find a library with some time-and-date API you can call to hand over a couple of dates and do the subtraction. That’s not just easy — it’s actually better, because you can use a library that has been tested and debugged and is based on hundreds of hours of someone else’s work, probably doing an excellent job at solving the problem.


Do APIs pose security risks?

For an IT manager, though, this style of software development comes with increased complexity and security risks. Why? Because when you install an application from developer X, you aren’t just installing software from X. You’re also installing libraries and APIs from A, B, C, D, E and F. And that can bring potential problems. First, each of these libraries and APIs may have bugs that can open the door to system compromise and security failure.

Second, the libraries and APIs are generally large compared to the amount of code that is actually needed. For example, a date-time library has more than 100 functions in it. And even if only one of those functions is needed, the entire library is loaded when even one of the routines is ever called. More code equals more potential for security problems.

It’s not just a theoretical problem. In October 2019, security researchers discovered that WhatsApp was using a library called “libpl_droidsonroids_gif.” That library has a memory allocation error in it (called a “double-free” bug). Combining that bug with a complementary bug in WhatsApp, and the researchers discovered several small holes that can be used to compromise Android versions 8.1 and 9.0.


What can be done about it?

Is this a problem? What can an IT manager actually do about these libraries that are hitchhiking on their applications? The unfortunate answer is, “not much.” But there are some things to keep in mind when users want to install applications on their mobile devices.

  1. Just because the software developer is trusted and trustworthy doesn’t mean that the entire software supply chain is uncompromised. Treat every application, even ones from trusted vendors, as a potential security problem. Tools such as Android for Work and Knox Platform for Enterprise help to isolate applications and data, reducing the risk when security is compromised.

  2. Use your Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) tools to control application installation. For example, restricting application installations to the Google Play Store or requiring that Google Play Protect be enabled can help reduce the risk of malware making a beachhead on your mobile devices.

  3. Using approved application lists is a radical step, but in high-security environments or those where the costs of compromise are very high, it may be the right step — again, managed through your MDM/EMM tools.

  4. Remove applications, especially applications that are not being regularly updated, from your mobile devices when they are not being used. If someone loads a car rental app on their mobile device because they want to rent a car, that’s fine. But if that’s a one-off and they normally use a different rental car agency, get rid of that application.

  5. If you’re also developing applications, encourage your development team to work with native Android APIs rather than third-party libraries. That’s not a promise that API compromise won’t happen, but it means you’re traveling a broader road with many more application developers, and many more eyes are looking at that code — which usually speeds security updates.

Today’s mobile device landscape is dotted with security landmines, and businesses and their employees can never be too cautious about what’s happening inside smartphones or tablets. See how Samsung Knox can help you navigate this landscape.

[Icon] chiudi

Comincia a utilizzare Samsung Knox

[Icona] valigia
Sei un rivenditore, un provider di soluzioni o un provider di servizi?

Diventa un partner Knox e fai crescere la tua azienda oggi.

[Icon] info

Seleziona un prodotto Knox per iniziare:

Soluzione completa
Knox Suite
Rebranding e personalizzazione
Knox Configure
Protezione da frodi e furti
Knox Guard
Piano di protezione dei dispositivi
Samsung Care+ for Business
Altri prodotti e servizi

Inizia a utilizzare

[Image] Knox Suite

Una soluzione completa in bundle, appositamente concepita per la mobilità aziendale.

  • Ottieni una prova gratuira di 90 giorni per un massimo di 30 dispositivi.
  • Un set di strumenti completo per proteggere, distribuire, gestire e analizzare i dispositivi della tua azienda.
  • Prova le straordinarie funzionalità di Knox Suite

Knox Suite comprende:

Knox Mobile Enrollment Gratuito
Knox Manage
Knox Asset Intelligence
Knox Platform for Enterprise Gratuito
Supporto remoto Knox
Knox Capture
Knox Authentication Manager

Inizia a utilizzare

[Image] Logo Knox Configure

Consenti il rebranding e la personalizzazione dei tuoi dispositivi Samsung.

  • Ottieni una prova gratuira di 90 giorni per un massimo di 30 dispositivi.
  • Configura da remoto i dispositivi Samsung in blocco e personalizzali in base alle tue esigenze specifiche per un uso immediato.
  • Configura i tuoi dispositivi per la singola distribuzione o aggiornali tutte le volte che vuoi.

Inizia a utilizzare

[Icon] Logo Knox Guard

Protezione da frodi e furti per i dispositivi Samsung.

  • Ottieni una prova gratuira di 90 giorni per un massimo di 30 dispositivi.
  • Riduci i rischi finanziari e proteggi gli asset controllando in remoto i dispositivi Samsung.
  • Prova tutte le funzionalità di Knox Guard, inclusi controllo della SIM e blocco del dispositivo.

Inizia a utilizzare

[Image] Logo Samsung Care Plus For Business

Piano di protezione per i dispositivi Samsung.

  • Limita le interruzioni delle attività con riparazioni e sostituzioni rapide dei dispositivi. Contatta l'ufficio vendite Samsung per iniziare.
  • Visualizza tutte le informazioni sulla copertura del tuo dispositivo e sul reclamo in un unico luogo.
  • Hai già acquistato Samsung Care+ for Business? Crea un account e attiva il piano nella console Samsung Care+ for Business.

Altri prodotti e servizi

[Image] Logo di altri prodotti

Soluzioni moderne per soddisfare le tue esigenze specifiche.

  • Ricevi supporto tecnico efficiente da parte di un account manager dedicato con Enterprise Tech Support.
  • Crea dispositivi su misura per la tua azienda utilizzando Samsung Software Customization Service.