SBOM analysis of 10 popular Android sports and betting apps by Synopsys CyRC - Mobile Security Briefing 2023.094

March 02, 2023 (Last Modified: March 08, 2023)

The Cybersecurity Research Center at Synopsys analyzed the Software Bill of Material (SBOM) for 10 populars Android sports and betting apps and released their findings earlier this month. Not surprisingly, many of the apps contained outdated and vulnerable open source components.

You should take a look at the report as it’s interesting and well written. But I’d like to focus in on two important points that they made.

Exploitable

Whenever a developer is presented with evidence of a vulnerable dependency, I suspect on of the first questions that comes to mind is: ok, but is that code used and exploitable?

It was great to see that the Synopsys researchers acknowledged that right out of the gate:

Known vulnerabilities in open source components are not necessarily exposed in the app. However, risk increases with the age of the components and the number of known vulnerabilities.

In fact, a study released by Kenna Security in Jan 2022 found exploitability of CVEs to be quite low:

Our vulnerability intelligence identifies exploit code or activity for about 16% of all vulnerabilities on the CVE List. If we narrow further to both observed exploits AND high-risk vulns, we’re looking at only 4%. Suddenly the CVE List isn’t so daunting.

If you’re interested in learning more about emerging standards for reporting and predicting exploitability, definitely check out:

Exploit Prediction Scoring System (EPSS) by First
Vulnerability Exploitability eXchange (VEX) from CISA

Also, have to give a shout out the the impressive, open source SBOM management tool Dependency-Track. I highly recommend checking out this software stack if you would like to better manage your software supply chain.

SBOM as a Proxy

The other statement I found interesting from Synopsys was the idea of treating “SBOM health” as a proxy for overall focus on cybersecurity:

Furthermore, outdated components are an indication that development teams are not managing their open source dependencies, which could be an indication that they are not handling security well in general.

While I’m sure it won’t hold true in all cases, I suspect it’s a rather effective proxy. There are tools today, largely automated, that allow developers to understand their software supply chain and even automatically update to newer, non-vulnerable versions of component (e.g. GitHub DependaBot | renovate). While it’s not a slam dunk, if developers are not able to leverage these tools, I suspect cybersecurity isn’t a high focus for them.

If you’d like to check out the SBOM for any Android or iOS app on the public stores, sign up for 10 free mobile SBOMs from NowSecure. (Disclaimer: I’m a co-founder at NowSecure)