When people use Android applications, whatever’s happening in the background usually doesn’t cross their minds. Unfortunately, a programming option called dynamic code loading may pose security risks. Here’s what you need to know about it.
What Is Dynamic Code Loading?
In application development, the entire source code used when building an app makes up the codebase. Dynamic code loading allows an app to pull content from beyond its codebase and execute it during operation, or runtime.
This option can result in a smaller app size because a common practice is to store the code remotely instead of embedding it in the Android package kit (APK).
The APK is the file format Android uses when distributing and installing apps. It contains all components for an app to work on a compatible device. Dynamic code loading brings advantages from a development standpoint, including some that improve app usability.
For example, an app may show different content to a person depending on if they use the free or premium version. Dynamic code loading can display the correct content based on the user’s tier without increasing the APK size.
Additionally, dynamic code loading allows developers to release new app versions containing minor changes. Users get the latest versions without downloading anything.
Despite these advantages, dynamic code loading can raise risks related to Android app security.
Malicious Apps Often Feature Dynamic Code Loading
The authors of a 2019 research paper examined malicious Android apps to find their commonalities. They cited previous research completed by other parties that showed dynamic code loading as a top feature of dangerous apps.
Nearly 20,000 of the 86,798 apps in one investigation had dynamic code loading.
Further clarification indicated that people put a dangerous app’s core functionality into independent libraries, then use dynamic code loading to run it. That approach shields the app’s malicious behavior, making it less detectable.
Google’s documentation about the types of malware it detects even clarifies that dynamic code misuse could get flagged as a backdoor variety. The company defines backdoor malware as executing potentially harmful, remote-controlled actions on a device. It then gave an example of dynamic code loading allowing an app to extract text messages.
However, Google says it looks at whether the code execution explicitly performs malicious behavior. If not, the company treats arbitrary code execution as a vulnerability for a developer to patch.
In instances of dangerous apps, arbitrary code execution allows a hacker to remotely carry out commands on a targeted device.
Researchers Identify a Dynamic Code Loading Issue
Google frequently takes decisive actions to increase security for users. For example, third-party cookies track users, save their information, and later use it to show them targeted ads. However, the company will block third-party cookies on the Chrome browser by 2022. It did not give a specific date for the change.
Focusing on security doesn’t make a company free from problems, though. Cybersecurity researchers found persistent arbitrary code execution within the Google app and reported it to the company. The issue was fixed in May 2021, but it made more people pay attention to potential problems associated with dynamic code loading.
The researchers confirmed that the vulnerability would let an attacker only launch an app once before stealing a person’s Google data. A hacker could exploit the Google app flaw to pull a code library from a dangerous app on a person’s device.
From there, the cybercriminal could access nearly all of a person’s Google data, including their emails. They could even activate the user’s microphone, camera and real-time location information.
Pay Attention to Warnings About Dangerous App Vulnerabilities
Since dynamic code loading happens on the development end, an average app user can’t do anything to verify whether a certain offering might pose hidden dangers related to how it functions in the background. However, it’s wise to keep an eye out for any Android app security news that hits tech headlines.
Cybersecurity researchers continually look for issues that could put hundreds of thousands of app users at risk, then report on them. Staying aware of potential app dangers will help users decide if and when to update or delete a potentially problematic application.