NQ Mobile Security – Is The Competition Vulnerable? CMCM, QIHU, BIDU

If you haven’t read the first part of this investigation, please do so for some extensive background.

Sludge Reports would like to take this opportunity with our readers to explore the other mobile security app vendors to see if they suffer from the X.509 security flaw, and to elaborate a bit on  third party libraries being used by other mobile security apps.

Let’s begin by delving into Yahoo’s Flurry library.   The headline of the last article was intended to shock, but the reality is, NQ Mobile couldn’t have picked a better vendor.   All software vendors will have patches for their programs.  As we learned in the first article, Flurry needed to modify their code based on an Apple App Store policy change earlier this year.   They also needed to patch the X.509 security flaw so their customers, like NQ Mobile, would have safe products.

Yahoo agreed to purchase Flurry in July of this year to build their presence in mobile advertising and analytics.  As one Forbes author put it,

“Flurry is one of the biggest mobile ad firms in operation with a reach so vast it tracks more mobile phones than Google GOOGL +1.27% or Facebook. Such an acquisition would boost Yahoo’s ambitions to be a “mobile first” company, after it has struggled to match the growth of mobile ad revenues at rivals Facebook and Google.”

Quite a boast, and yet if you research Flurry, it proves to be a rather accurate statement that will probably be one of Marissa Mayer’s defining moments as CEO.

Keep in mind that all mobile apps use some third party library for ad revenue generation and analytical reporting.  After all, there is no sense in reinventing a wheel which has already been created 10+ times by different ad analytics vendors.  Flurry appears to be on top of the game though and growing.


Recapping the first part of this investigation

We previously discovered that NQ Mobile uses a third party source code library called Flurry which is owned by Yahoo.  Flurry happens to be one of two libraries with a patch for the X.509 security flaw according to the National Vulnerability Database.  Since NQ Mobile uses Flurry, they could quickly patch their software and become  the only safe mobile security app vendor available.

We also discovered  Apple’s rejection of their apps earlier this year may not have been NQ Mobile being singled out, but rather Apple changing their policies and the IOS (Apple Mobile Operating System) version of Flurry needing patched accordingly.  Many developers encountered this problem but got their apps back in the Apple App Store once the patch was released by Flurry.

However, Flurry seems to be a very responsive company, sensitive to the changing needs of mobile.


Shorts and their neverending allegations

Following up on the Security Flaw allegation, Sludge Reports has uncovered additional information regarding the allegations by shorts  that no other mobile security app has this flaw.  Inherently false! If reasonable time to research had been taken, it would have been evident the opposite is true.  Odds are good that most current mobile security app versions have this flaw, NQ Mobile being the safe bet.

Included below is a list of third party advertising and analytics libraries the National Vulnerability Database identified as being compromised with the X.509 flaw .  Since other security mobile app companies make use of these vendor’s libraries instead of Flurry,  they are all but guaranteed to fail testing once CERT gets around to them.

There is no need to wait for them to test though, it is a simple matter to find out what third party library each of them uses.  All that is needed is source code, which can be easily obtained.   Sludge Reports will share the details of how you can do this yourself and confirm these findings.   Send an email to SludgeReportsLive@GMail.com  for the simple steps that even a relatively non-technical person can perform.  Of course if you already have an IT guy handy, he can probably just do it for you.


Other Top Rated AVTest Mobile Security Apps

AVTest gives high ratings to the three apps being reviewed.  While NQ Mobile still has more features then the rest and maintains equal or better malicious code identification, these apps are considered strong competitors.

Taking a look at the source code for these three we find the X.509 security flaw in each.

Let’s start with a recent darling of the stock market, Cheetah Mobile.  Cheetah Mobile had an IPO a few months ago and rocketed from $12 to $30!  Is their app safe?


Cheetah Mobile (CMCM) contains the AppsFlyer Analytics library, which to date, has not been fixed. See CVE-2014-5528 for x.509 flaw reporting.









Moving on to 360 by Qihoo  (QIHU), it too contains the AppsFlyer Analytics library, which to date, has not been fixed. See CVE-2014-5528 for x.509 flaw reporting.








Finally let’s look at Baidu Mobile Security (BIDU).  It contains AdColony Analytics library, which also to date, has not been fixed. See CV2014-5524 for x.509 flaw reporting.






libdexanalysis (identified in the screenshot above) is a library which contains three ref calls to AdColony.  Here is one of those three.




If NQ Mobile was considered a short because of a fixed security flaw, then one must wonder what to do with CMCM, QIHU, and BIDU!  Will they switch to Flurry or wait for their current ad vendors to patch their code libraries?


The list of applications vulnerable to this X.509 attack are endless.  It’s not just mobile security apps at risk, but even that cute little game you downloaded this weekend.  In fact, unless the app developer used the patched version of Flurry, your smartphone may be at risk!

NQ Mobile Security may be the only safe bet in mobile security apps.

This should cast Seeking Alpha short authors in a very unflattering light!  They singled out the only security app that had a patch available and shorted the stock.

What’s on your Android? 

(a suggestion, use NQ Mobile )

* Be sure to follow Sludge Reports as we expose more short myths from our intense 6 months of research.

List of Libraries that have or have not been fixed per the National Vulnerability Database

Link         Verified Vulnerable   Fixed version CVE VU#
http://www.flurry.com/ Yes Yes   3.4.0 CVE-2014-6024 VU#208585
https://www.chartboost.com/ Yes Yes   2.0.2 CVE-2014-6025 VU#775305
http://www.adcolony.com/ Yes Yes   CVE-2014-5524 VU#199345
http://www.playscape.com/ Yes Yes   CVE-2014-5525 VU#935465
http://www.inmobi.com/ Yes Yes   CVE-2014-5526 VU#571145
http://home.tapjoy.com/ Yes Yes   CVE-2014-5527 VU#123577
http://www.appsflyer.com/ Yes Yes   CVE-2014-5528 VU#157457
http://www.gameloft.com/ Yes Yes   CVE-2014-5529 VU#943033
https://www.zopim.com/ Yes Yes   CVE-2014-5530 VU#794753
http://www.fiksu.com/ Yes Yes   CVE-2014-5971 VU#849577

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: