Maps are one of the most common features in mobile apps. From checking the weather to boarding a plane to navigating a new city — maps give context and convenience. But hidden inside some of today’s most popular Android apps is a library that quietly undermines security for millions of users.
That library is libmapbox-gl.so, once part of Mapbox GL Native (SDK v9 and below). Archived since August 2023, this library remains embedded in thousands of active apps — including airline, weather, and travel companions — and it comes with a dangerous surprise: it statically links to SQLite 3.24.0 (2018), a version riddled with critical vulnerabilities.
These vulnerabilities, unknowingly present in legitimate apps on employee’s devices, create significant enterprise risks, including credential and token hijacking, data theft and DoS risks.
Zimperium’s zLabs team, in the second half of the year analyzed the top-ranked apps across Google Play, APKMirror, and VirusTotal. The results are alarming:
libmapbox-gl.so.For enterprises, this represents a BYOD nightmare: trusted apps installed by employees may introduce exploitable flaws. For developers, it’s a cautionary tale about how outdated dependencies become ticking time bombs.
Mobile users rarely think about the libraries powering their apps. If the map loads quickly and looks beautiful, everything seems fine. But beauty can hide danger.
In 2023, Mapbox GL Native was officially deprecated and archived. Its replacement, Mapbox Maps SDK v10+, adopted new rendering backends and abandoned libmapbox-gl.so. But many developers chose not to migrate: API changes were disruptive, migrations required significant effort, and the old SDK still “worked.”
The cost of inaction, however, is that today millions of devices are running apps with a library that hasn’t been updated in years — and bundles a database engine with 19+ known CVEs.
Think of it as using an outdated paper map: the roads may still be there, but the bridges have collapsed, and attackers know exactly where the gaps are.
At the heart of this risk is libmapbox-gl.so, a native library that powered Mapbox’s vector map rendering. It was widely adopted because it was:
Unfortunately, it also included a statically compiled version of SQLite 3.24.0 (2018). This means:
Despite Mapbox archiving the project in 2023, libmapbox-gl.so still lives on inside many apps, exposing their entire install base.
To measure the scale, Zimperium analyzed apps across APKMirror, VirusTotal, and the Google Play Store.
libmapbox-gl.so.This highlights two critical realities:
SQLite is one of the most widely used databases in the world — but like any software, it requires updates.
SQLite 3.24.0 was released in June 2018. Since then, at least 19 vulnerabilities have been discovered, several of which allow memory corruption, out-of-bounds reads, or even remote code execution.
Below we have a selection of CVEs that could be exploited in the context of a mobile application and how they can be used in attack scenarios.
Summary: An integer overflow in SQLite’s concat_ws() causes a truncated length to be used when allocating a buffer, then the full (untruncated) length is written, producing a huge (~4GB) heap buffer overflow and possible arbitrary code execution.
CVSS: 6.9
Attack scenarios
concat_ws() or exposes SQL execution on strings built from untrusted inputs (e.g., merging metadata fields from remote tiles, user-supplied data, or sync payloads), an attacker could craft arguments that cause the overflow.concat_ws() path when Mapbox/SQLite processes text fields.Risks to apps
Summary: A heap-based buffer overflow in the SQLite session extension (sessionReadRecord) can be triggered by specially crafted session data; affects SQLite up through 3.43.0.
CVSS: 5.5
Attack scenarios
Risks to apps
Summary: Handling of extremely large string inputs (billions of bytes) could cause an array-bound overflow in certain SQLite builds prior to fixes; triggers when attacker-supplied string arguments to C API functions are uncontrolled.
CVSS: 7.5
Attack scenarios
Risks to apps
Summary: A flaw in SQLite’s query flattening optimization in select.c mismanages certain query shapes and can lead to a multiSelectOrderBy heap overflow in older releases.
CVSS: 5.5
Attack scenarios
Risks to apps
Summary: A set of issues in older SQLite releases (around 3.32.1) including integer overflows and read-access to NULL pointers in core functions such as printf.c and sqlite3ExprCodeTarget — leading to crashes or potential memory corruption.
CVSS: 5.5
Attack scenarios
Risks to apps
Summary: FTS3/FTS4 extensions had integer overflow bugs (Magellan) enabling buffer overflows in certain shadow-table operations; malformed PRIMARY KEY handling could cause crashes/DoS. These were high-severity vulnerabilities discovered in 2018 and patched in later SQLite releases.
CVSS: 8.1/7.5
Attack scenarios
Risks to apps
These individual CVEs are dangerous, but their risk is amplified when they are used as building blocks in a larger attack. We've outlined several high-impact scenarios below:
While some of these bugs require specific conditions, attackers are creative. Combined with GPU driver flaws or firmware exploits, they could be chained into sandbox escapes or remote code execution on devices.
If the risks are this serious, why haven’t developers updated?
This creates the perfect storm: millions of users run vulnerable apps, while developers delay migrations, and attackers quietly research old CVEs.
The presence of vulnerable libraries inside trusted apps is more than a developer inconvenience — it’s an enterprise risk vector.
In a BYOD environment, an employee's “innocent” weather or airline app may:
Blind trust in app store apps is no longer sufficient. Vulnerabilities don’t care whether an app is popular, free, or even preinstalled by airlines.
The continued use of the deprecated libmapbox-gl.so library is a ticking time bomb. For any developer whose app still packages this library, migration is not optional—it's an essential security requirement. Here is how to audit your project and make the necessary switch:
lib/armeabi-v7a/, lib/arm64-v8a/, etc. for libmapbox-gl.so.com.mapbox.mapboxsdk:mapbox-android-sdk:9.x.x.The libmapbox-gl.so vulnerability highlights a critical, ecosystem-wide visibility gap. It persists because both enterprises and developers are often blind to the risks buried in third-party code, which raises two fundamental questions:
Zimperium provides the solutions to answer both of these challenges.
Mobile App Vetting answers the enterprise visibility challenge. It's a comprehensive solution that continuously scans and analyzes all mobile applications in your corporate environment, detecting specific, code-level vulnerabilities precisely like the hidden libmapbox-gl.so library. Security teams can:
For developers, the libmapbox-gl.so issue is a perfect example of how easily hidden risks can be inherited. Relying on third-party libraries is necessary to build modern apps quickly, but it also means you inherit all of their security flaws—even from libraries buried deep in a dependency tree.
Manually auditing every component is impossible. The real danger is that these vulnerabilities are often discovered after an app is released, forcing costly emergency patches, damaging user trust, and pulling teams away from feature development.
To solve this, developers need a way to find these issues "early and often." The most effective solution is an automated scanning platform that integrates directly into the CI/CD pipeline. This "shift-left" approach allows teams to find vulnerabilities—both in their own code and in third-party libraries—while they are still easy and cheap to fix, long before they ever reach production.
This is precisely the challenge zScan was built to solve. It is Zimperium's answer to the developer's need for early visibility. zScan integrates directly into your existing development workflow to:
libmapbox-gl.so) before they are merged.By combining research-driven analysis with enterprise-scale tooling, Zimperium enables both sides of the mobile ecosystem to address these risks head-on.
Maps guide us to our destinations — but in the mobile world, they can also guide attackers if built on outdated foundations.
The persistence of libmapbox-gl.so inside today’s most popular Android apps demonstrates how tech debt becomes a security debt. Millions of users may already be carrying vulnerable apps in their pockets.
With Zimperium App Vetting and zScan, enterprises and developers gain the visibility, intelligence, and tools to spot these hidden risks before they become breaches.
Because in mobile security, it’s not enough for the map to look good — it has to be safe.
Through our participation in the App Defense Alliance (ADA), Zimperium collaborates directly with Google to improve security and help protect the Play Store. However, Google Play app developers are responsible for maintaining the security of their applications in accordance with Play policies, which do not allow code that introduces or exploits security vulnerabilities. Google provides a range of tools, resources, and best practices to help developers build and maintain secure apps. At the moment of writing this, there is no evidence that libmapx library was actively exploited.