Researchers at Columbia University School of Engineering performing a large-scale measurement study on the Google Play marketplace have revealed crucial security problems, including secret key data stored by developers in their apps that, if stolen, could be exploited to steal user data from the likes of Amazon and Facebook.
Using a crawler of their own invention called "PlayDrone" to index and analyze apps, the team of professor Jason Nieh and PhD candidate Nicolas Viennot used numerous techniques to get around Google security to download Google Play apps and recover the sources attached to them.
As a result, the team discovered security flaws and vulnerabilities that simply went unnoticed because – according to the researchers – very little is known about what is uploaded to Google Play by developers, and most of what is stored along with the apps is largely unknown in terms of content. The so-called "secret keys" found in this way were originally stored by developers as part of their apps' information and, if stolen, would allow people to gain access to user details from service providers such as Amazon and Facebook.
"Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play – anyone can get a US$25 account and upload whatever they want. Very little is known about what's there at an aggregate level," said Jason Nieh, "Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content."
To crawl Google Play on a daily basis, PlayDrone was made scalable – automatically adding more servers to handle the load as required. Using this technique, the team was able to download more than one million Android apps and decompile over 880,000 of the free applications available.
After processing this data and analyzing their findings, the team has since been integral in assisting to help plug the security holes and remove the vulnerabilities, by remaining in constant contact with Google and allowing the use of their technology. As a result, Google has already begun to improve the methods and protocols employed at Google Play.
"We've been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," says Viennot. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."
As an aside to looking at all of this data, the PlayDrone team claim to also have discovered various other interesting things about the apps on Google Play that were not security related, but telling of the state of the system. This includes the assertion that approximately a quarter of all free Google Play apps are simply duplicates – or clones – of other apps already available.
Additionally, one particular app that claimed to weigh objects placed on the screen of a device containing it was simply not true (it merely displayed a random number), still had more than a million downloads. This was despite the fact that it was rated the worst app on Google Play.
The details of the team's research was presented in a paper at the ACM SIGMETRICS conference on June 18.
Source: Columbia University
