The diverse Android app stores are full of applications, written in multiple languages and frameworks. When it comes to optimize for performance and cutting-edge features the ultimate choice is using specialized components written in C/C++. But with increased power comes increased responsibility, as native components have the tendency to rot over time and turn an installed application into a security nightmare. OWASP has placed this scenario on their Top 10 list as "Using components with known vulnerabilities".
In our research we switched from policy to practice, and examined a sample of prominent (especially Android Antivirus) apps with large downloads counts. Unfortunately even in 2018 major vendors ship their colorful applications with well-known security problems, some having weekly updates on the functionality side, but leaving the ugly backyard of outdated native libraries (even with CVSS- 10 vulnerabilities) untouched, samples were taken from the major download store for Android, but also from the smaller ones.
The presentation will cover this and other Android native deployment anti-patterns that leave the user in danger of exploitation, enriched with mitigation recommendations and real-life examples.