Android Security: Scanning your app for known vulnerabilities

Known vulnerabilities exist for libraries common to Android development such as OkHttp and Apache Commons I/O. The importance of such an issue is highlighted by its position in the OWASP 2017 Top 10 as A9 - Using Components with Known Vulnerabilities.

Our Android apps are using more and more third-party libraries like these and in turn our direct dependencies often depend on their own set so how do you ensure you know about these vulnerabilities and keep your app secure?

The National Vulnerability Database can be queried to determine what security issues your use of open source software may bring you. What is it and how do we use it?

What is the National Vulnerability Database?

The NVD is a U.S. government repository containing details of publicly published security related software flaws. These flaws are linked to the Common Vulnerabilities and Exposures dictionary along with a score for the severity of the risk involved. The NVD provides downloads of its database making it possible to cache the data locally along with querying it for any matches.

What is the Common Vulnerability and Exposures dictionary?

CVE (Common Vulnerabilities and Exposures) is a free for public use list of publicly known cybersecurity vulnerabilities. It was set up to ensure there was a common name (the CVE identifier) that can be used…