According to new research from IBM, a newly developed open source security tool led to a massive increase in known...
mobile application vulnerabilities in 2014.
In its first 2015 Threat Intelligence Quarterly report, IBM X-Force said vulnerability disclosures were up from 8,400 in 2013 to about 30,000 last year, which was the highest single-year total in the 18-year history of X-Force.
IBM X-Force researcher Jason Kravitz said data from previous years suggested 2014 would see a modest decline in the number of vulnerability disclosures, initially forecasted to remain in the 7,000 to 8,000 range.
"If you look over the past four or five years, vulnerabilities have been relatively flat in terms of the total number," Kravitz said. "Our projections [for 2014] looked like by the end of the year we might actually be a bit lower than 2013."
But that was before Will Dormann, vulnerability analyst with the Computer Emergency Response Team (CERT) at Carnegie Mellon University's Software Engineering Institute in Pittsburgh, developed a new way to discover Android mobile application vulnerabilities.
Dormann was researching man-in-the-middle (MITM) attacks and wanted to test applications in a way that routed application traffic through a proxy, but did not alert the application. He thus needed to design a proxy that would test outside of the application layer.
Dormann's solution was the CERT Transparent Proxy Capture Appliance (Tapioca). First announced in August, the tool serves as a transparent network-layer proxy for MITM software analysis.
"With some client applications you can specify that you want to use a proxy," Dormann explained. "There've already been some MITM proxy tools that have been released [such as ZAP, Burp and Fiddler]. But if you ever want to test an application that doesn't support specifying a proxy, or for whatever reason it's not using the OS configured proxy, Tapioca operates on a network level."
Dormann explained that all one needs to do is configure a virtual machine, or a wireless access point for physical testing, and basically use Tapioca as an Internet gateway. For any system that is configured that way, Tapioca will see all of the Web requests that go over the network.
Soon, Dormann discovered that Tapioca could be used to check for applications that didn't properly validate SSL certificates. And by using an Android emulator, a Linux Virtual Machine (VM) and some other tricks, Dormann automated the process. He ran the Tapioca tool on multiple virtual machines for several months -- beginning in August 2014 and terminating in January 2015 -- with the number of apps tested reaching just over 1 million.
Tapioca was the key to the discovery of several thousand vulnerable Android apps; it rifled through the Google Play Store and was, according to the X-Force Threat Intelligence Quarterly, led directly to the Android app vulnerability spike in 2014. According to the Tapioca project's public spreadsheet, 23,667 apps failed the dynamic testing, primarily because of vulnerabilities caused by improper validation of SSL certificates.
Will DormannCERT vulnerability analyst
"What we're discovering with this Tapioca tool is there are actually 20,000 or more applications that are vulnerable, and the way that they're implementing their SSL is causing this problem," Kravitz said. "It's not like there's one library that they're including that has that vulnerability -- those 20,000 applications are actually vulnerable."
Kravitz said the Tapioca tool was a game changer; while X-Force had catalogued 9,200 vulnerabilities of its own, the open source security tool more than tripled that number.
"In the past, we didn't necessarily get a huge number of applications that had vulnerabilities," he said. "If there's a vulnerability in a Word Press plugin, that might affect 100,000 sites, but we don't write 100,000 vulnerability records in our database for that, because it's one vulnerability."
For every app that failed testing, CERT contacted the app developer (if contact details were provided on the Play store). But only about one out of every 1,000 developers reported back to CERT and confirmed fixing the vulnerabilities. Kravitz said it was unclear how long the vulnerabilities existed.
"Assuming those applications were released prior to [last] October -- which they probably were -- they potentially had that vulnerability there," Kravitz said. "It's just that nobody went and discovered this until [CERT] started auditing them with the Tapioca tool."
Dormann has since crowd-sourced testing with the Tapioca tool. New Android apps are constantly being released, as are new versions of old apps. There are also iOS and other mobile platforms that CERT did not test, largely due to the lack of an Android De-bug Bridge (ADP)-like utility, which lets users interact with an emulator instance. Without that kind of command-line tool, Dormann said, Tapioca can't be automated, making testing less feasible.
"With iPhone SDK they have the iPhone Simulator -- but that really just simulates the look and feel of what your applications looks like," Dormann said. "In order to test something with Tapioca, you need something that functions the same way on the network basis."
Dorman did examine an iPhone by associating it with an access point, but said testing iOS apps on a mass scale would not be possible if a physical phone were required. He said it was too early to tell with iOS what sort of automation would be possible for Tapioca.
X-Force's report said Tapioca "not only changed the 2014 year-end [vulnerability disclosure] count, but also the discussion on how disclosures should be recorded." While the Tapioca tool was used for legitimate research purposes, Dormann acknowledged that hackers and cybercriminals could use the open source security tool to find and exploit vulnerabilities before developers have a chance to patch them.
"Take any particular security tool – it's possible someone might use it, for lack of a better word, for good," Dorman said. "And there might be folks that use tools for things that are not necessarily beneficial for others. … The availability of tools simply helps raise the bar of the quality of software that is out there."
Find out how security vulnerabilities in alternative Android browsers are putting users at risk