It is a fact that mobile app developers make extensive use of third party libraries: no need to reinvent the wheel, especially when the Android ecosystem offers multiple viable solutions, either in the form of open source or license-based libraries.
The efficiency gains behind using third-party libraries come with a security trade off: these libraries need to be carefully evaluated to understand the security risks they may introduce to your application. Libraries used in your app run with the same privileges and capabilities as your app: that means that such (insecure) code can access all the files and permissions of your own code. For example, the library code might change a setting that is global to the entire app and benign in the sole context of the library code, but it can cause severe security issues in your application.
The first step in fixing security vulnerabilities is understanding the origin of those vulnerabilities. Once you understand the origin, you can make a determination on if you can fix the vulnerability, or whether you need to follow-up with the author of the third-party dependency.
With AppSweep we’ve recently improved our analysis to achieve more reliable detection of third-party libraries. As a result, now you can gain better insight into the vulnerabilities and whether they are related to your own code or third-party libraries.
This is presented in AppSweep in the following ways:
Filtering your Findings - When you are on your finding page for your build, all issues are automatically shown, but you can use the filter “origin” and check the box either “internal” or “dependencies”.
Finding Details - The detail page of the issue will also clearly identify if it comes from a dependency.
Dependency Analysis with Summary - From the Libraries card in your build summary we’ve added a new overview that allows you to see all the libraries that have been detected in your app: with clear indications of the number of findings identified in each library.
By using all of the above, you now have full visibility into the components of your app and the security issues each of those bring. With this information, you can prioritize which libraries to focus on investigating.