Software Bill of Materials Affects Millions of Apps

As I keep saying, software bill of materials (SBoM) is a real problem.

Until now, perhaps, it was a theoretical problem in your mind. Here is why it is not a theoretical problem.

Back in March 2020 (like 9 months ago), security company Oversecured discovered a bug in the Google Library Play Core Library that allows malicious apps to execute code in legitimate apps. It was rated 8.8/10 for severity.

That was March; this is the following January.

But developers have not upgraded their apps to include the new library. Some of the apps have 250 million downloads (no, that is not a typo).

So how do you, as a user, know if any of the apps that you have installed are vulnerable. Absent a software bill of material, you don’t really know. It is possible that you could look at the software manifest; I am not sure if it would show this particular library, but how many people have the skill to be able to do that?

ON THE OTHER (DEVELOPER) SIDE, if your company develops apps, how do you know which apps are affected. Which apps have a pre version 1.7.2 library included, which apps don’t use the library and which apps use a post version 1.7.2 library?

If you answered Software Bill of Material, you get a gold star. No, make it two gold stars.

So now the problem is not theoretical. I wish I could tell you which apps that your users are running are vulnerable. Unfortunately, most companies do not publish SBoMs, so at this point you really have no way of knowing.

Credit: Hackread