Late Post

Lax Android app developers putting millions of users at risk

Android application developers are putting millions of users at risk by failing to update Google’s widely used Play Core library to cover off a bug that was fixed in April 2020, Check Point has warned.

The CVE-2020-8913 flaw is a local, arbitrary code execution vulnerability which enables a malicious actor to create an Android Package Kit (APK) targeting a specific app that lets them execute code as the targeted app, and access its data held on the user device. This may include private information such as login credentials, financial details, private messages or photos.

It is rooted in the Play Core library, a crucial element in enabling developers to push their own in-app updates and new feature modules to live apps. The Play Core library is used in about 13% of apps available on the Google Play Store as of September 2020

It was patched by Google on 6 April 2020, but as it is a client-side vulnerability – as opposed to a server-side vulnerability which is patched completely once the patch is applied to the server – effectively mitigating it requires each developer using Play Core Library to grab the patched version and install it into their app. Eight