CVE-2019-11932 describes a vulnerability in what product? https://nvd.nist.gov/vuln/detail/CVE-2019-11932 …
-
Show this thread
-
Correct answer: CVE-2019-11932 is a vulnerability in the android-gif-drawable library. Yet the CVE text doesn't mention "android-gif-drawable". It only mentions WhatsApp. I'm aware of over 28,400 free Android apps that use this library. I wonder how many app authors are aware?
2 replies 36 retweets 82 likesShow this thread -
For example, here's a demonstration of viewing a crafted message with an app called Chomp SMS. It has over 10 million installs and also uses android-gif-drawable. When
@facebook created the entry for CVE-2019-11932, they neglected to mention anything other than WhatsApp.pic.twitter.com/dYJJp2bUOz5 replies 21 retweets 69 likesShow this thread -
Is there a database of Android Apps along with frameworks they are using? How do you correlate it? What sources do you use?
1 reply 0 retweets 0 likes -
Replying to @marcinguy @Facebook
I've been downloading Android apps since I started looking for apps with private keys in them. An Android manifest file will contain the list of files contained in an app. I just queried my Android pile for apps that include libpl_droidsonroids_gif.so https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263 …
2 replies 1 retweet 5 likes -
I plan to notify each of the app authors next time I'm at a computer. But let me just say that I blame:
@facebook for mis-scoping CVE-2019-16920@GooglePlay for not doing this themselves. I have access to neither the whole set of free apps nor *any* of the for-pay Play Store apps1 reply 1 retweet 2 likes -
+1 Maybe Google Play Store Protect can help with this in the future
@GooglePlay by looking up hashes of vuln native dependencies and warning users and mainterners about it. Not sure how the system works and if this is feasible1 reply 0 retweets 1 like
Indeed. We'll bring it up with Google. As for the apps I know about, the notifications for CVE-2019-11932 (CERT VU#479272) are now flowing!
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.