NQ Mobile – Is Flurry to blame?

Seeking Alpha authors seem to enjoy spreading fear, uncertainty, and doubt (FUD) among shareholders.  Seeking Alpha in general, appears to be the short’s outlet for FUD lately in this author’s opinion.  For this article, I’d like to address three accusations shorts seem to harp on regarding NQ Mobile apps.   First I’ll tackle the latest jab at NQ Mobile Security and then present some evidence that may make you think twice about Apple rejecting mobile apps.  Finally, a quick discussion on an old accusation regarding AVTest not performing testing on NQ Mobile Security

I won’t link to the Seeking Alpha articles in question. If you want to read them (or haven’t yet), then you know the website and ticker to find them.  I won’t contribute to the penny per click bashers or Seeking Alpha clicks that get reported to their advertisers.

Many readers may be non-technical types so lets start with a simple definition of a source code library to help set the stage.  Developers use source code libraries to include code in their applications that are already written and possibly distributed or sold by other parties.  Now a technical  definition;

In object-oriented programming , a class library is a collection of prewritten class es or coded templates, any of which can be specified and used by a programmer when developing an application program. The programmer specifies which classes are being used and furnishes data that instantiate s each class as an object that can be called when the program is executed. Access to and use of a class library greatly simplifies the job of the programmer since standard, pretested code is available that the programmer doesn’t have to write.

Keep those definitions in mind while we continue down the rabbit hole the shorts have dug.

NQ Mobile Security App flaws

The most recent article cites the National Vulnerability Database which indicates NQ Mobile Security v 7.2.16.00 does not verify X.509 certificates from SSL Servers.  Keep in mind it also states that a “Victim must voluntarily interact with attack mechanism” but there is no reason to argue the points and counter points of users who click and tap things they don’t understand.  Lets face it, they do.  There is a much simpler explanation to all this though.

Our story begins with the respected Carnegie Mellon University Software Engineering Institute sponsored by Homeland Security.  In August of 2014, they started testing Android mobile apps on Google Play and Amazon for SSL Certificate failures.  On September 3rd, 2014, they released their initial findings in the form of a spreadsheet they promise to keep updated.   It is worth reading their PR release for further background.

Let’s start digging into this ongoing spreadsheet report to see what we find.  Note that I highlighted CVE-2014-6024.   The Seeking Alpha author wanted you to focus on the other but this seems interesting since there are 175 apps currently identified with this flaw, and remember, they are still in the process of testing and updating this list daily.

NQ Mobile Security & Antivirus com.nqmobile.antivirus20 10,000,000+ 7.2.16.00 Yes Yes 8/27/2014 15:45:40 CVE-2014-6024,CVE-2014-5672 VU#660905 Web content,Flurry

So what is CVE-2014-6024?  According to the National Vulnerability Database “The Flurry library before 3.4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.” and this was Published on 9/8/2014, the same time as the NQ Mobile alert along with many others.   Remember we started with a definition of a source code library and here is the probable root cause, a third party library.

Referencing the spreadsheet report again, we find the same information.  Flurry versions before 3.4 contained a security issue with the same CVE reference.

Library Link         Verified Vulnerable   Fixed version CVE VU# Notes
Flurry http://www.flurry.com/ Yes Yes   3.4.0 CVE-2014-6024 VU#208585 Analytics

This brings us to the question, what is Flurry  and why is it causing so much havoc with so many mobile applications?

Flurry is a library of Java source code for Mobile App Publishers that provide in-app advertising and app analytics back to the publisher.   In other words, if you wanted to create an app for either Apple or Android that was advertiser supported, then you might use Flurry by Yahoo!

Flurry isn’t the only one to blame for security flaws though!  Take a look at the other libraries at the top of that spreadsheet.   There are ten (10) total libraries and Flurry is only one of two (2) that have fixes available to app publishers.

Here are a few lines of code, out of over 2000, found in the NQ Mobile Security app that references the Flurry library by Yahoo!

  • Program file: src\com\flurry\android\InstallReceiver.java
    • Flurry Referenceb = context.getFileStreamPath((new StringBuilder()).append(“.flurryinstallreceiver.”).append(Integer.toString(f.d().hashCode(), 16)).toString());
  •  Program file: src\com\netqin\antivirus\log\b.java
    • Flurry Reference: import com.flurry.android.f;

The good news is that Yahoo FIXED this a few months ago. App developers just need to recompile with the new library version.

NQ Mobile released a patch  one (1) day after the security flaw report was released. Version 7.2.18 is now available on Google Play.

NQVersion

 

 

 

 

Apple Rejects NQ Applications

While this accusation is a bit old, it may be worth touching on simply to continue down the rabbit hole.   If you remember, towards the end of last year, it was claimed that Apple rejected NQ and FL Mobile applications for various sundry reasons.  Let’s address this simply.   On February 6th, 2014, Yahoo released a patch to the IOS Flurry Library.  Are you seeing a trend?  Here is the Yahoo release note;

  • Version 4.3.2 ­ 02/06/2014  Addressed issue related to referencing IdentifierForAdvertisers that could lead to app being flagged during Apple review process.

It seems many app developers were being rejected by Apple during the same timeframe.   Apple had modified their rules and Yahoo needed to adjust their advertiser source code library to accommodate.   Any ad generating app was affected until a patch was available to recompile.   NQ Mobile apps did appear back in the Apple app store later.

Here are some reference links for your own research that may help explain the ins and outs.  It would take an article unto itself for Sludge Reports to fully interpret the gritty details.

 

 

AVTest not including NQ Mobile in their 2014 testing

Shorts have made two accusations here.  First, that AVTest dumped NQ Mobile from their testing.  Second, that NQ Mobile is an inferior product to Lookout, Baidu, 360, and others.

According to AVTest they, carry “out more than 4,500 individual and comparative tests per year”.  That’s a lot of testing!   Is it any surprise that some months get skipped altogether and if a product doesn’t have a new version available and/or their testing hasn’t changed, some products may not be retested until criteria are met?

One can easily see that Android mobile security apps testing skipped December 2013, and February, April, and August of 2014 so far.

But our real concern is whether NQ Mobile Security is any good?  Let’s discuss and compare using their latest tests.

Baidu, one that shorts in some forums seem to rave about, wasn’t tested in January or March 2014.  Version 4.2 was tested in May though and then then the new version 5.2 tested in July.  The 360 app seems to have a new version for every test and therefore is included in all.   Lookout was tested in July and then September of 2013 but not since.  Lookout is a free app mentioned by shorts many times for it’s robustness.  A new version of Lookout was released on September 16th, 2014, so maybe it will be tested in the next round but there isn’t much sense in including the current year old test here.

NQ Mobile Security v7.2
  • Detection of a representative set of malicious apps discovered in the last 4 weeks (AV-TEST reference set)
    • Score 100%
    • Industry average 95.3%
  • Protection Score 6.0/6.0
  • Usability Score 6.0/6.0
  • Standard Features
    • Anti-Theft
    • Call Blocker
    • Message Filter
    • Safe Browsing
    • Parental Control
    • Backup
  • Other features:
    • Privacy Advisor
    • Network Manager
    • App Manager

Baidu v5.2 

  • Detection of a representative set of malicious apps discovered in the last 4 weeks (AV-TEST reference set)
    • Score 99.85%
    • Industry average 98.3%
  • Protection Score 5.5/6.0
  • Usability Score 5.0/6.0
  • Standard Features
    • Anti-Theft
    • Call Blocker
    • Message Filter
    • Safe Browsing
    • Parental Control
    • Backup
  • Other features:
    • Smart Anti-Fraud
    • App Manager

360 v1.0

  • Detection of a representative set of malicious apps discovered in the last 4 weeks (AV-TEST reference set)
    • Score 100%
    • Industry average 98.3%
  • Protection Score 6.0/6.0
  • Usability Score 6.0/6.0
  • Standard Features
    • Anti-Theft
    • Call Blocker
    • Message Filter
    • Safe Browsing
    • Parental Control
    • Backup
  • Other features:
    • Secure Payment
    • Cleanup

CONCLUSION

The NQ Mobile Security Android flaw appears to be related to a Yahoo Flurry java ad and analytical reporting library.  It affects a growing list of developers that haven’t updated to the new library version.

The Apple store rejection also appears to be related to Yahoo source libraries but this time the IOS library and it affected all developers using the ad package.

AVTest indicates the latest version of NQ Mobile Security gets top marks and has more features than competitors.

However, using short’s logic, Sludge Reports would propose you;

  • do not touch Lookout Mobile’s security app, even though there are many Silicon Valley angel investors involved. It must be garbage since AVTest hasn’t touched it in a while.
  • short AliBaba (BABA)!  Alibaba’s mobile shopping app just got reported on Saturday with the same X.509 error, so $BABA should be worth less than $1.  Shh… don’t tell them to download the newYahoo library and recompile.
  • contact your Congressperson to impeach Barrack Obama! Barrack and the Democratic National Committee apparently are NOT ‘for America‘ as their app claims they are.  Yes, they too were reported Saturday.

You can spin anything into a good sounding conspiracy theory, if you leave out the details.  In Sludge Reports’ opinion, the NQ Mobile shorts who write for Seeking Alpha are doing just that!


Quick Update: How big is/was this potential problem associated with Yahoo’s Flurry Library? Well here are their July 2014 Stats. 8,000 mobile app publishers potentially at risk in 150 countries!

Flurry is optimizing the mobile experience for developers, marketers and
consumers. Flurry’s market-leading analytics product sees activity from more
than 540,000 smartphone and tablet apps on over 1.4 billion devices worldwide

Flurry has been delivering the platform and insights to help developers
optimize and personalize their apps since 2008. The Flurry stats speak to
their success.
• 170,000 developers use Flurry Analytics
• Flurry sees app activity from 1.4 billion devices monthly
• Flurry sees 5.5 billion app sessions per day
• Flurry Analytics is in 7 apps per device on average
• 8,000 publishers monetize with Flurry
• Flurry works with mobile developers in 150 countries

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Advertisements

Sifting through the sludge, to find better investments.

Advertisements
%d bloggers like this: