On October 25, 2022, OpenSSL started pre-notifying organizations of two critical vulnerabilities in OpenSSL 3.0.x. On the brilliant facet, OpenSSL 3.0 had not but been extensively deployed, and even higher, on November 1, 2022, the 2 vulnerabilities have been downgraded from crucial to excessive. Nonetheless, on the heels of different current high-impact vulnerabilities like Log4j and the devastating widespread impacts of the earlier OpenSSL Vulnerability “Heartbleed” Beginning in 2014, defenders went on excessive alert… and so did we.
We discovered 1,529 cases of OpenSSL in 608 purposes.
Common cell apps with OpenSSL
We analyzed 3845 very fashionable cell purposes from our MobileRiskTracker™ to see if any cell apps contained a direct or transient dependency on OpenSSL, and in that case, if that model was weak. General, Android apps make up about 90% of widespread cell apps with OpenSSL and iOS at 10%.
The excellent news is that we discovered no cell purposes uncovered to the lately introduced OpenSSL 3.0.x vulnerabilities. However there are substantial issues with cell apps that use older variations of OpenSSL which have identified vulnerabilities. Particularly, we discovered 1,529 cases of OpenSSL in 608 apps (~16%) with the next points:
- 98% of OpenSSL variations in these widespread cell apps have publicly disclosed vulnerabilities
- 86% of weak variations have a HIGH severity
- 30% of OpenSSL variations in widespread cell apps will not be absolutely supported
- 57% are unsupported or require premium assist (OpenSSL 1.0.2 department)
Delving into these cell purposes utilizing our Software Bill of Materials (SBOM) cell evaluation, we discovered that OpenSSL is most frequently included by way of third-party SDKs (recognized as transient dependencies). Word SQL encryption it’s the commonest dependency included within the OpenSSL library. I checklist far more particulars about the primary libraries and dependencies in my private VLOG on SBOM here.
It is usually fascinating to have a look at the cell purposes affected by vertical trade:
How one can detect OpenSSL in your cell app
There are two important classes of cell apps that you need to think about testing:
- Apps you construct
- apps you employ
Our Platform now secure supplies automated evaluation of the cell apps you construct and use, utilizing binary evaluation to establish vulnerabilities and dynamically generate SBOM additionally. So in case you are an organization and you might be frightened about your mobile application software supply chainyou may request a NowSecure Platform Demo both get 10 free SBOM reports.
To be taught extra about SBOMs, go to my current tutorials that I’ve been sharing here. For a deeper dive into how I ran the evaluation above, and to learn to carry out your individual evaluation of the OpenSSL cell app, go to my VLOG and watch How to detect OpenSSL v3.0 and Heartbleed vulnerabilities in mobile applications.