What AppBugs is really saying about Android app security

A new "security app" for Android claims apps like the ASTRO File Manager are vulnerable. Jack Wallen challenges this claim.

App bugs

I was recently contacted by a PR firm about an app called AppBugs. Effectively, the app checks your Android device for apps with critical bugs. The missive informed me that AppBugs had uncovered the following list of apps that are suffering from serious security bugs:

  • MeituPic
  • ASTRO File Manager with Cloud
  • gReader
  • Windows Live Hotmail Push Mail
  • JustUnFollow
  • Brother iPrint & Scan
  • Software Data Cable
  • FriendCaster Chat
  • PrintHand Mobile Print
  • Phone for Google Voice & GTalk
  • Instachat
  • InstaMessage
  • InstaG
  • FoxIt MobilePDF

This piqued my interest, especially considering ASTRO File Manager with Cloud was listed among the culprits. And so, I installed the app to see what's going on.

First and foremost, the app is fairly easy to use. Once you run it, it lists what apps you've installed that suffer from a critical bug. As expected, ASTRO File Manager with Cloud is front and center (Figure A).

Figure A

Figure A
AppBugs reporting ASTRO on a Verizon-branded Droid Turbo.

When you tap the app listing, you're presented with with zero detail (unless you purchase the full app at $0.99/month or $9.99/year). Okay, I get and respect that... developers have to make a buck as well. I dug a bit deeper to find out more about the critical bug. Apparently, all of the apps in the above listing have the same security flaw--a vulnerability related to signing into services with social networking accounts. It's an SSL issue, where developers are using their own client certificate validation techniques when using WebViews.

This is a known bug in Android--there's no official way to get WebViews to use certificates for requests generated by the WebView. In fact, the Webview bug affected Android 4.2 and earlier. So, effectively, the information AppBug presents should be looked at as a real concern--with an asterisk (that asterisk being if you authenticate these apps using social networking sites). The solution for users who aren't using Android 5.0, which solved the WebViews problem, is to not use your social networking accounts to authenticate against these apps. When prompted, create an account with the service so A) the app isn't tied to your social network account and B) it doesn't use the vulnerable WebView in older versions of the Android platform.

Honestly, if you're presenting information about apps in the Google Play Store being vulnerable, why not bother to say "The following apps suffer from the WebView vulnerability. If you're using the latest version of Android, you're not affected." What's also interesting is that the security app doesn't bother to check what version of Android you're using. So, on a device with Lollipop (one that doesn't suffer from the WebView vulnerability), AppBug still lists ASTRO File Manager with Cloud as vulnerable. How could an app still be listed as vulnerable when what made it vulnerable has been fixed on the latest version of the platform?

Here's what I think: The AppBug scanning is so remarkably fast that it seems the app is merely checking to see if you have apps installed based on a particular database of known vulnerable apps instead of checking the installed apps against the installed system for actual vulnerabilities. Considering the foundation of the vulnerability this app is reporting, I would think running a scan on a platform the vulnerability doesn't affect would cause AppBug to not raise a flag against said app. Instead, the app is listed as vulnerable, regardless of which version of Android is used.

To test this, I ran both AVG Anti Virus and Malwarebytes on the same Android device (a Verizon-branded Droid Turbo running Android 5.1) that AppBug claimed to find ASTRO File Manager with Cloud to be vulnerable. AVG reported two issues (neither of them having anything to do with ASTRO) and Malwarebytes came up clean.

For me, this issue cuts to a very ugly chase, one that has been around for such a long time. From my perspective, this is a slight bit of fear, uncertainty, and doubt (FUD) on the part of the AppBug developers.

If you've been involved with Linux for any length of time, you fully understand that concept. The spreading of FUD is usually done intentionally in order to put a competitor at a disadvantage. Sometimes, this FUD can be a half-truth or a portion of the relevant information spun in such a way as to cause the rumor mill to hit warp factor 42. I believe this is the case with AppBug's reporting of these issues. Although the apps would be vulnerable on an older release of Android, when you're running the latest Android (with the latest version of WebView), that vulnerability is a thing of the past. And if you're still concerned, just make sure you don't authenticate an app against your cloud or social network accounts, and you'll be fine.

Don't fall for FUD. Know what you're dealing with when claims such as these are made.

Have you run across security apps like AppBugs that aren't exactly accurate with their results? Share your experience in the discussion thread below.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic, The New Stack, and Linux New Media. He's covered a variety of topics for over twenty years and is an avid promoter of open source. For more news about Jack Wallen, visit his website jackwallen....