Comments by: Jonathan Knudsen, Senior Security Strategist, at Synopsys Software Integrity Group
Running an app store is incredibly difficult. At its root, the problem is to make sure apps do what they claim to do, and don’t do anything bad. But defining “bad” is hard, and figuring out what apps really do is very hard indeed.
Google’s upcoming addition of privacy information to the Play Store is a step in the right direction, but the challenge will be enforcement. If an app saves more user data than claimed, such a violation will be difficult to detect without manual inspection.
Apps are usually one part of a larger application system. The best way to safeguard security is for app developers to use a Secure Development Life Cycle, in which security is part of every phase of development, from design through implementation, testing, and maintenance.
One important part of secure development which impacts user data and privacy is managing the use of open source components. As highlighted in the recent Synopsys CyRC report, ‘Peril in a Pandemic‘, almost two-thirds of the most popular apps in the Play Store contain vulnerabilities from open source components. Out of those, 94% of the vulnerabilities have publicly documented fixes, meaning the vulnerabilities can be eliminated if the app developers update the app to use the latest versions of the open source components.