January 4, 2020

No app is an island: The malware dangers of libraries and APIs

Joel Snyder

Every application depends on other software to work. It’s not just the operating system, but an entire ecosystem of libraries and Application Programming Interfaces (APIs) that speed the process of developing and delivering all modern applications. From a software developer’s point of view, the wide variety of libraries and packages available is an amazing accelerator. It’s code that doesn’t have to be written and debugged and maintained because someone out there is already doing that work. But it can also be an accelerator for malware.

For example, let’s suppose you need to know how many hours are between two dates. If you’re a programmer, you can definitely figure this out. First, you convert the date (like “January 16, 1964”) to some standard format. Do the other date, and then subtract the two. The answer might be in seconds, so you’d divide that by 3600, and boom, there’s your answer. Except that we’re now talking about thousands of lines of software to do all of that work.

Or, you can take the easy way out: Find a library with some time-and-date API you can call to hand over a couple of dates and do the subtraction. That’s not just easy — it’s actually better, because you can use a library that has been tested and debugged and is based on hundreds of hours of someone else’s work, probably doing an excellent job at solving the problem.

 

Do APIs pose security risks?

For an IT manager, though, this style of software development comes with increased complexity and security risks. Why? Because when you install an application from developer X, you aren’t just installing software from X. You’re also installing libraries and APIs from A, B, C, D, E and F. And that can bring potential problems. First, each of these libraries and APIs may have bugs that can open the door to system compromise and security failure.

Second, the libraries and APIs are generally large compared to the amount of code that is actually needed. For example, a date-time library has more than 100 functions in it. And even if only one of those functions is needed, the entire library is loaded when even one of the routines is ever called. More code equals more potential for security problems.

It’s not just a theoretical problem. In October 2019, security researchers discovered that WhatsApp was using a library called “libpl_droidsonroids_gif.” That library has a memory allocation error in it (called a “double-free” bug). Combining that bug with a complementary bug in WhatsApp, and the researchers discovered several small holes that can be used to compromise Android versions 8.1 and 9.0.

 

What can be done about it?

Is this a problem? What can an IT manager actually do about these libraries that are hitchhiking on their applications? The unfortunate answer is, “not much.” But there are some things to keep in mind when users want to install applications on their mobile devices.

  1. Just because the software developer is trusted and trustworthy doesn’t mean that the entire software supply chain is uncompromised. Treat every application, even ones from trusted vendors, as a potential security problem. Tools such as Android for Work and Knox Platform for Enterprise help to isolate applications and data, reducing the risk when security is compromised.

  2. Use your Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) tools to control application installation. For example, restricting application installations to the Google Play Store or requiring that Google Play Protect be enabled can help reduce the risk of malware making a beachhead on your mobile devices.

  3. Using approved application lists is a radical step, but in high-security environments or those where the costs of compromise are very high, it may be the right step — again, managed through your MDM/EMM tools.

  4. Remove applications, especially applications that are not being regularly updated, from your mobile devices when they are not being used. If someone loads a car rental app on their mobile device because they want to rent a car, that’s fine. But if that’s a one-off and they normally use a different rental car agency, get rid of that application.

  5. If you’re also developing applications, encourage your development team to work with native Android APIs rather than third-party libraries. That’s not a promise that API compromise won’t happen, but it means you’re traveling a broader road with many more application developers, and many more eyes are looking at that code — which usually speeds security updates.

Today’s mobile device landscape is dotted with security landmines, and businesses and their employees can never be too cautious about what’s happening inside smartphones or tablets. See how Samsung Knox can help you navigate this landscape.

[Icon] close

Get the right solution for your business

Join 25,000+ organizations around the world.

[Icon] suitcase
Are you a reseller or solution partner?

Get access to the Knox Partner Program for helpful partner tools, such as the Knox Deployment Program portal, Knox MSP portal, partner SDKs, and more.

[Icon] info
Unified Endpoint Management
Knox Suite
Rebranding and customization
Knox Configure
Fraud and theft protection
Knox Guard
Device protection plan
Samsung Care + for Business
Other products & services

Get started with

[Image] Knox Suite

All-in-one solution bundle for enterprise mobility.

[Icon] Check mark

Join us and get a 90-day free trial for Knox Suite and other Knox products. *Approval required

[Icon] Check mark

A complete set of tools to secure, deploy, manage, and analyze your enterprise's corporate mobile devices.

[Icon] Check mark

Try powerful features bundled with Knox Suite, such as Knox Remote Support.

Knox Suite include:

[Icon] Knox Platform for Enterprise Knox Platform for Enterprise
[Icon] Knox E-FOTA Knox E-FOTA
[Icon] Knox Mobile Enrollment Knox Mobile Enrollment
[Icon] Knox Asset Intelligence Knox Asset Intelligence
[Icon] knox manage Knox Manage
[Icon] knox capture Knox Capture

Get started with

[Image] Knox Configure Logo

Remotely configure Samsung devices in bulk and tailor them to specific needs, right out of the box.

[Icon] Check mark

After approval, you can try both the:

  • Setup edition — designed for a one-time deployment
  • Dynamic edition — deploy and update policies as many times without a factory reset.
[Icon] Check mark

Try either the Setup edition or Dynamic edition of Knox Configure on up to 30 devices.

[Icon] Check mark

Get a free Knox Suite trial upon approval to try our UEM.

Get started with

[Icon] Knox Guard Logo

Remotely control Samsung devices to reduce financial risks and protect assets.

[Icon] Check mark

After you get approved, generate your free trial license for 90 days.

check-mark

Try all the features of Knox Guard on up to 30 devices, including SIM control and device locking.

[Icon] Check mark

Get a free Knox Suite trial upon approval to try our UEM.

Get started with

[Image] Samsung Care Plus For Business Logo

Protect your business devices against accidental damage and mechanical breakdowns.

[Icon] Check mark

Are you already a Samsung Care+ for Business customer? Create an account and access the Samsung Care+ for Business console.

[Icon] Check mark

Contact the Samsung sales team and get peace of mind for your devices.

Other products & services

[Image] Others logo
[Icon] Check mark

Samsung offers additional solutions to serve the unique needs of your business. Talk to a Samsung expert today.

CONTACT SALES
Back to top