Zimperium, the global pioneer in mobile security, revealed findings from its zLabs team showing that thousands of popular Android applications — including top travel, airline, and weather apps — are still using an outdated mapping component that could put users and enterprises at risk.
The investigation, titled “Follow the Map to Enterprise Risk: What’s Inside Popular Android Apps,” found that a legacy library known as libmapbox-gl.so, once part of Mapbox GL Native, remains embedded in thousands of active apps despite being deprecated in 2023.
The outdated library includes older code versions containing known security flaws — issues that could be exploited to compromise devices, steal data, or disrupt app functionality.
Strengthening app ecosystem security
Zimperium continues to work closely with Google through the App Defence Alliance (ADA) to strengthen app ecosystem security. While there is currently no evidence of active exploitation, developers using the archived Mapbox GL Native SDK are strongly encouraged to migrate to Mapbox Maps SDK v10+ or MapLibre to maintain app security and integrity.
“These vulnerabilities transform everyday apps into potential attack vectors,” said Nico Chiaraviglio, Chief Scientist at Zimperium, adding “When trusted applications ship with outdated components, it creates blind spots that can expose both users and enterprises. Our mission is to help organisations gain visibility into these hidden risks — so they can protect the mobile apps and devices that power their business.”
Zimperium’s analysis revealed:
- Thousands of Android apps still contain the vulnerable library.
- 40% of affected apps rank among the top 20 in their Play Store categories.
- Many are installed on employee devices, posing serious BYOD and enterprise exposure.