Zimperium has unveiled alarming insights from its zLabs team, highlighting that a significant number of widely-used Android applications continue to rely on an outdated mapping component, potentially jeopardizing both users and enterprises alike.
Among the affected applications are several leading travel, airline, and weather apps, raising concerns about the security of everyday tools that many rely on.
The investigation
The investigation, aptly named ‘Follow the map to enterprise risk: What’s inside popular Android apps,’ identified a legacy library known as libmapbox-gl.so. This component, which was once part of Mapbox GL Native, remains embedded in thousands of active applications, despite its deprecation in 2023.
Zimperium emphasizes that this outdated library harbors older code versions that contain known security vulnerabilities. These flaws could be exploited by malicious actors to compromise devices, steal sensitive data, or disrupt the functionality of the applications.
App Defense Alliance (ADA)
In response to these findings, Zimperium is actively collaborating with Google through the App Defense Alliance (ADA) to enhance the security of the app ecosystem. While there is currently no evidence indicating active exploitation of these vulnerabilities, developers utilizing the deprecated Mapbox GL Native SDK are strongly urged to transition to either Mapbox Maps SDK v10+ or MapLibre to safeguard their applications and maintain their integrity.
“Gain visibility into these hidden risks”
Nico Chiaraviglio, Chief Scientist at Zimperium, remarked, “These vulnerabilities transform everyday apps into potential attack vectors. When trusted applications are shipped with outdated components, they create blind spots that can expose both users and enterprises.”
He further stated, “Our mission is to help organizations gain visibility into these hidden risks so they can protect the mobile apps and devices that power their business.”
Results
Zimperium’s analysis yielded several noteworthy findings:
- Thousands of Android apps still contain the vulnerable library.
- 40% of the affected apps rank among the top 20 in their respective Play Store categories.
- A significant number are installed on employee devices, posing serious BYOD (Bring Your Own Device) and enterprise exposure risks.
