Hi, I'm the founder of SourceDNA. I'm happy to answer questions here.<p>It's difficult to track which 3rd-party libraries your apps include, especially in a large company and across acquisitions. If one of those libraries is vulnerable, how does its vendor (or open-source author) find the relevant developers and notify them?<p>At SourceDNA, we're constantly indexing mobile apps and analyzing their code. On March 30th, we were able to look up which apps use AFNetworking (over 100k in the whole store), select those which were updated recently (20k), and then list which ones had the vulnerable code (AFNetworking 2.5.1, about 1,000 apps).<p>We just finished an update scan yesterday to see how well developers have been fixing this flaw. We were shocked to find that while 250 apps have been patched, the total number of vulnerable apps has risen to 1,500! Our theory is that these apps were being updated for other reasons and the development cycle is slow enough that the flawed code from Feb-March is just now appearing in recent releases.<p>We're offering a service to developers. Sign up with your email and we'll monitor your apps for you and notify you of flaws like this, as well as how to fix them. It is extremely low noise since we only tell you about flaws that affect your own code.<p>Check it out and I'd love your feedback: <a href="http://searchlight.sourcedna.com" rel="nofollow">http://searchlight.sourcedna.com</a>