Development with an element of risk

[tanjimajuha20]

Developing your own mobile applications is a trend in modern IT training and a popular service in the market. Businesses need their own applications for online stores, ordering, booking and shopping services, games and entertainment. Every day, Russians download such products from application libraries in two clicks, but this is not as safe as it seems.

Ilya Polyakov, Head of Code Analysis at Angara Security, explains why developing your own software based on open source software in Russia poses major risks for owners and users after February 24, 2022


An application that croatia whatsapp number database programs the inscription on a New Year's garland. An application that turns an Android screen into an iPhone screen or simulates a fake incoming call to interrupt an awkward conversation. An application with a lighter for concerts, an application with discounts and an application for making an appointment with a specialist. Developers around the world (and Russia is no exception) use open source for many of these products. This is open source software that the next author can adapt to their tasks, refine, improve and supplement, use in the development of another program with a similar code architecture. The open source concept is a global practice, it was born in response to proprietary software of commercial companies with strict copyrights and limited or completely closed code.

Open source code makes life much easier for users, developers, and entire corporations. Thanks to open source developments in free access, you can not waste time on creating the necessary code from scratch, but integrate ready-made solutions into the architecture of your software. This way we get the applications needed for business much faster and with less cost. Open source codes were used to create Google Chrome, Opera and Yandex Browser, and the Android operating system was also based on open source.

The dangerous "but" is that attackers can add malicious functionality to a popular mature open source component. When using open source and borrowing open source components, developers are usually wary of malicious Python packages. For example, this year, IT specialists encountered such malicious packages in the Python Package Index (PyPI) repository. From them, malicious software was unpacked onto the developer's machine, which tried to gain a foothold in the system and could then steal confidential data and gain access to victims' cryptocurrency wallets, their browser history, and other applications. But in Russia, this risk problem is now much broader: after February 24, 2022, cybersecurity specialists have observed the emergence of Protestware. This is the addition of malicious functionality to open source code that is activated only in Russian cyberspace.

Open means vulnerable
Any software is vulnerable to external threats and malicious influences, but it is easier and faster to detect danger in open source software. The disadvantage of open source programs can be turned into their advantage: if a special trusted repository (a huge storage for open source data and programs) is created, then all the necessary components for further use could be filtered and checked by information security services. At Angara Security, we are confident that the level of checking can be selected depending on the criticality of the architectural elements of the software. For example, one developer needs a third-party archive of Java classes to create their software, another needs a Python package, and a third needs a Docker image (a template for creating and running an application. — Forbes). For each such component, you can set the level of protection and checking: from automatic scanning with an antivirus/sandbox and an SCA tool for "malware" and known vulnerabilities to a semi-automated search for new vulnerabilities in the source code or even an expert analysis of each commit (the latest changes in the code).