Secret keys hidden in Google Play apps pose security risk, researchers find
A team of researchers at Columbia University say they've found a critical security flaw in Google Play apps that could potentially be used to steal user data or resources from Amazon and Facebook.
Google Play, the marketplace for Android apps, is known for having lighter restrictions on developers than Apple's tightly-controlled iOS. That strategy encourages innovation but may leave users vulnerable to security risks.
The security gap was discovered by Jason Nieh, a Columbia University professor of computer science, and PhD candidate Nicolas Viennot.
They developed PlayDrone -- a tool that uses what's described as "various hacking techniques" to circumvent Google security measures, allowing them to successfully download Google Play apps and decompile source code for over 880,000 apps.
Using the data amassed from PlayDrone, the duo found that developers often stored their secret keys -- which Nieh and Viennot likened to usernames and passwords -- in their app software. These keys can be used to access user data; many of the apps designated by Google Pay as coming from "Top Developers" have the same vulnerabilities in their apps, Nieh noted in a press release.
Google is already working to fix these issues. Developers have been contacted and asked to remove the secret keys from their source code, according to Viennot.
"We've been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," Viennot said. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."
PlayDrone also found that a quarter of all Google Play free apps are "clones," or apps that are attempting to ride on the coattails of popular apps such as WhatsApp and Angry Birds. They also found a performance problem resulting in very slow app purchases, which has been fixed. And were surprised to discover that one of the worst-rated apps on the site still managed to get a million downloads.
Viennot presented their findings at the ACM Sigmetrics conference in Texas this week, and was awarded the Ken Sevcik Outstanding Student Paper Award.