Risk Finder

Surprisingly large number of Android app vulnerability-related reports

There were 163(*) vulnerability reports related to Android reported to IPA in 2015. Most of the reported problems are easily preventable with an understanding of Android specifications and characteristics, but the number of reports has not decreased since the first report in 2008.

(*)From http://jvndb.jvn.jp/ (as of December 28, 2015, our total)

Why vulnerability-related reports are not decreasing

Some of the major reasons can be listed below.

• It is difficult to find time for a detailed source code review during application development.
• Android has unique specifications and characteristics, and an engineer without knowledge cannot properly design an application.
• When libraries created by others (other companies) are incorporated into an application, it is impossible for the developer to be aware of any vulnerabilities in the library.

Limitations of vulnerability countermeasures relying on engineers' knowledge and experience

In order to provide secure applications while keeping up with the latest specifications of the ever-evolving Android OS, there is a limit to vulnerability countermeasures that rely only on the knowledge and experience of engineers.
We need a mechanism to diagnose the entire application comprehensively.
RiskFinder is a web service that performs vulnerability diagnostics specifically for Android. It can diagnose vulnerabilities without the need for source code, and can detect problems within the libraries used by the application.
For more information http://www.riskfinder.co.jp/feature.html