Reading between the lines of security alerts

Wading through daily security alerts can be confusing to security adminstrators who need to ascertain the actual potential impact of any threat.

Take last week’s alert about Apache Cordova (or Adobe PhoneGap), an app development framework which contains a remotely exploitable security flaw affecting Android banking apps - the security alert issued by IBM’s X-Force leaves one with more questions than answers.

Make no mistake: the security flaw is real, and the Apache Foundation and IBM have distributed patches against it and rate it as serious.  

Cordova is found in 6 percent of all Android apps, according to Android app directory AppBrain, which IBM says puts "millions of users” at risk of credentials theft. 

If AppBrain’s stats are correct, as many as 77,000 vulnerable Google Play apps could require patching.

And if any of those apps are popular, it could mean millions of users have a security headache on the horizon.

But the extent to which that is the case is unclear.

IBM’s X-Force researchers said they found the flaw in 25 apps out of 248 tested by searching for the keyword “bank”.

However, you should not infer that all Android banking apps are at risk - the “bank” search term catches the Piggy Dash and Bank Bomb Police Chase games as well.

Additionally, IBM doesn’t explicitly state it tested only banking apps - so IBM's claim in the security alert that one in 10 Android banking apps are vulnerable is not entirely accurate.

It’s also worth noting that AppBrain lists Cordova as only representing 1.26 percent of the total app downloads from the Google Play Store - which amounts to 17,000 apps.

That's still a big number, but far fewer vulnerable apps than IBM claimed.

According to AppBrain, the Android version of Skype uses Cordova and has been downloaded over 100 million times, as does Amazon’s mobile Android shopping app, which has had over 10 million downloads.

In the finance category - which again has apps downloaded tens of millions of times - Cordova is found in 11 percent of items.

Are all these apps vulnerable? Are patches required? Who knows.

An unkind observer might point to the recent deal between IBM and Apple, which made the former a huge enterprise reseller for the latter, as the reason for Big Blue now sinking the security dagger into Android’s back.

That may be a stretch, but the IBM security alert is curiously narrow when one considers Cordova is cross-platform for iOS, Blackberry, Windows Phone and even Palm’s WebOS, Samsung’s Bada and Nokia’s Symbian.

These non-Android operating systems are not mentioned in the security alert.

Should we assume that’s because the flaw only affects Android and not, devices running iOS? Neil Bergman of Cigital Security identified an iOS flaw in May which appears to have similarities to the one identified by IBM in Cordova. 

The biggest problem with the IBM security alert is that it leaves users without a clear answer as to the vulnerability of their Android apps. IBM should know better.