G.Yu. Paguba, A.A. Volkov, N.N. Samarin

Problem Statement. Vulnerabilities in open-source components can compromise the confidentiality, integrity, and availability of information processed by products that use these components. The most promising technique for preventing the exploitation of known vulnerabilities in open-source components is software compositional analysis.

Objective. To present a method for detecting potentially vulnerable native open-source components in Android-based cordless phone applications using a wavefront alignment algorithm.

Results. A method for detecting potentially vulnerable native open-source components in Android-based cordless phone applications using a wavefront alignment algorithm is proposed. A software prototype is developed and experimentally evaluated. Research has shown that the proposed method enables the detection of potentially vulnerable open-source components without the need to create, store, and update a feature database for these components.

Practical Relevance. Further research in this area can be aimed at developing new tools for detecting and patching n-day vulnerabilities in the software code of Android-based cordless phone applications.

Paguba G.Yu, Volkov A.A, Samarin N.N. Usage of wavefront alignment algorithm for finding of potentially vulnerable native components with open-source code in Android applications. Radiotekhnika. 2026. V. 90. № 2. P. 66−72. DOI: https://doi.org/10.18127/j00338486-202602-09 (In Russian)

1. Intel. The Careful Consumption of Open Source Software [Jelektronnyj resurs]. URL: https://www.intel.com/con-tent/www/us/en/developer/articles/guide/the-careful-consumption-of-open-source-software.html/ (data obrashhenija: 14.07.2025).
2. Galkin V.A., Biushkin I.S., Zhuravleva U.V. Analiz programmnogo koda s ispol'zovaniem ansamblevyh metodov mashinnogo obuchenija. Dinamika slozhnyh sistem - XXI vek. 2020. T. 14. №. 2. S. 34-41 (in Russian)
3. Github. storaged-project/libblockdev [Jelektronnyj resurs]. URL: https://github.com/storaged-project/libblockdev (дата обра-щения: 16.07.2025).
4. NVD – CVE-2025-6019 [Jelektronnyj resurs]. URL: https://nvd.nist.gov/vuln/detail/cve-2025-6019 (data obrashhenija: 17.07.2025).
5. setuid(2) – Linux manual page [Jelektronnyj resurs]. URL: https://man7.org/linux/man-pages/man2/setuid.2.html (дата обра-щения: 19.07.2025).
6. NVD – CVE-2025-27363 [Jelektronnyj resurs]. URL: https://nvd.nist.gov/vuln/detail/CVE-2025-27363 (data obrashhenija: 19.07.2025).
7. The FreeType Project [Jelektronnyj resurs]. URL: https://freetype.org/ (data obrashhenija: 20.07.2025).
8. Field Effect. Severe flaw found in the FreeType library used by millions of systems [Jelektronnyj resurs]. URL: https://fieldeffect.com/blog/severe-vulnerability-freetype-library-used-by-millions (data obrashhenija: 20.07.2025).
9. Sheluhin O.I., Rybakov S.Ju., Zvezhinskij S.S. Obnaruzhenie kiberatak i vredonosnogo programmnogo obespechenija nulevogo dnja metodami mashinnogo obuchenija. Radiotehnika. 2025. T. 89. № 8. S. 184–198. DOI: https://doi.org/10.18127/j00338486-202508-21 (in Russian).
10. Selectel. Ujazvimosti sredstv zashhity i sistem v informacionnoj bezopasnosti [Jelektronnyj resurs]. URL: https://selec-tel.ru/blog/vulnerabilities/ (data obrashhenija: 22.07.2025).
11. NVD – CVE-2022-3723 [Jelektronnyj resurs]. URL: https://nvd.nist.gov/vuln/detail/cve-2022-3723 (data obrashhenija: 23.07.2025).
12. Google Threat Analysis Group. Spyware vendors use 0-days and n-days against popular platforms [Jelektronnyj resurs]. URL: https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/ (data obrashhenija: 25.07.2025).
13. The Chromium Projects [Jelektronnyj resurs]. URL: https://www.chromium.org/Home/ (data obrashhenija: 26.07.2025).
14. Samsung Internet Browser [Jelektronnyj resurs]. URL: https://www.samsung.com/ru/apps/samsung-internet/ (data obrashhenija: 26.07.2025).
15. Barabanov A.V., Markov A.S., Cirlov V.L. Aktual'nye voprosy vyjavlenija ujazvimostej i nedeklarirovannyh vozmozh-nostej v programmnom obespechenii. Sistemy vysokoj dostupnosti. 2018. T. 14. №. 3. S. 12-17 (in Russian).
16. What is Software Composition Analysis (SCA) [Jelektronnyj resurs]. URL: https://www.paloaltonetworks.ca/cyberpedia/what-is-sca (data obrashhenija: 27.07.2025).
17. Marco-Sola Santiago, Moure Juan, Moreto Miquel, Espinosa Antonio. Fast gap-affine pairwise alignment using the wavefront algorithm. Bioinformatics (Oxford, England). 2020. 37. 10.1093/bioinformatics/btaa777.
18. Levenshtejn V.I. Dvoichnye kody s ispravleniem vypadenij, vstavok i zameshhenij simvolov. Doklady Akademij Nauk SSSR. 1965. T. 163.4. S. 845-848 (in Russian).
19. Github. NationalSecurityAgency/ghidra [Jelektronnyj resurs]. URL: https://github.com/NationalSecurityAgency/ghidra (data obrashhenija: 08.08.2025).
20. Github. Smarco/WFA2-lib [Jelektronnyj resurs]. URL: https://github.com/smarco/WFA2-lib (data obrashhenija: 08.08.2025).
21. Python documentation. ctypes – A foreign function library for Python [Jelektronnyj resurs]. URL: https://docs.python.org/3/lib-rary/ctypes.html (data obrashhenija: 10.08.2025).
22. NVD – Vulnerabilities [Jelektronnyj resurs]. URL: https://nvd.nist.gov/vuln (data obrashhenija: 11.08.2025).
23. The GitLab Advisory Database [Jelektronnyj resurs]. URL: https://gitlab.com/gitlab-org/security-products/gemnasium-db (data obrashhenija: 12.08.2025).
24. OSV – Open Source Vulnerabilities [Jelektronnyj resurs]. URL: https://osv-vulnerabilities.storage.googleapis.com/ (data obrashhenija: 15.08.2025).
25. Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: collecting millions of Android apps for the research community. In Proceedings of the 13th International Conference on Mining Software Repositories (MSR '16). Association for Computing Machinery. New York. NY. USA. Р. 468–471. https://doi.org/10.1145/2901739.2903508.