Computers

Researchers uncover widespread security flaw in Google Play apps

Researchers used "Playdrone" to reveal crucial security flaws in Google Play apps, including secret keys (Image: Columbia University)
Researchers used "Playdrone" to reveal crucial security flaws in Google Play apps, including secret keys (Image: Columbia University)

Researchers at Columbia University School of Engineering performing a large-scale measurement study on the Google Play marketplace have revealed crucial security problems, including secret key data stored by developers in their apps that, if stolen, could be exploited to steal user data from the likes of Amazon and Facebook.

Using a crawler of their own invention called "PlayDrone" to index and analyze apps, the team of professor Jason Nieh and PhD candidate Nicolas Viennot used numerous techniques to get around Google security to download Google Play apps and recover the sources attached to them.

As a result, the team discovered security flaws and vulnerabilities that simply went unnoticed because – according to the researchers – very little is known about what is uploaded to Google Play by developers, and most of what is stored along with the apps is largely unknown in terms of content. The so-called "secret keys" found in this way were originally stored by developers as part of their apps' information and, if stolen, would allow people to gain access to user details from service providers such as Amazon and Facebook.

"Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play – anyone can get a US$25 account and upload whatever they want. Very little is known about what's there at an aggregate level," said Jason Nieh, "Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content."

To crawl Google Play on a daily basis, PlayDrone was made scalable – automatically adding more servers to handle the load as required. Using this technique, the team was able to download more than one million Android apps and decompile over 880,000 of the free applications available.

After processing this data and analyzing their findings, the team has since been integral in assisting to help plug the security holes and remove the vulnerabilities, by remaining in constant contact with Google and allowing the use of their technology. As a result, Google has already begun to improve the methods and protocols employed at Google Play.

"We've been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," says Viennot. "Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future."

As an aside to looking at all of this data, the PlayDrone team claim to also have discovered various other interesting things about the apps on Google Play that were not security related, but telling of the state of the system. This includes the assertion that approximately a quarter of all free Google Play apps are simply duplicates – or clones – of other apps already available.

Additionally, one particular app that claimed to weigh objects placed on the screen of a device containing it was simply not true (it merely displayed a random number), still had more than a million downloads. This was despite the fact that it was rated the worst app on Google Play.

The details of the team's research was presented in a paper at the ACM SIGMETRICS conference on June 18.

Source: Columbia University

  • Facebook
  • Twitter
  • Flipboard
  • LinkedIn
4 comments
Mel Tisdale
In the days of yore there used to be an outboard motor called the British Seagull. It was as tough as old boots and as reliable as hell, but pretty it was not. Functional was about as far as one could go regarding its looks.
What I would like the computing industry to provide is a computing equivalent to the British Seagull. A secure computer reserved for financial transactions, possibly in conjunction with the banking/finance industry and registered internet trading companies.
It would have a future - proof operating system burnt into a chip so that it is always there, no matter what happens to the hard disk. It should be impossible for a keystroke copier to operate on it. There should be no back doors, no accessing my contacts file without my explicit permission, no being able to write to my hard disk without my knowledge. No remote using of my computer unless I have authorised it. All installed software should be unalterable unless it is by the firm that wrote it. To this end all software should have a modern-day checksum that would immediately warn of it being altered.
All the above are off the top of my head. I am sure others can think of many other niceties that it should have or nasties that it not have, as the case may be. The final product should be something that is small (portable) and secure to the point where it would be impossible for a hacker to get any information about the user, especially anything about their bank details etc.
Oh, by the way, the operating system should have a numeric code for each instruction so that when a user selects a language, all instructions should be in that language by means of a look-up table, regardless of location at that instant. I have lost count of the number of times I have had to cancel a purchase because when it came to finalising the transaction, my idiot machine suddenly decided that although I have selected English, seeing as my internet address was not England at the time, it would change to that country's language, which I do not understand well enough to risk money on what I might be clicking on.
Dave Andrews
Wow. I hope this hole is plugged REAL fast!
The Reekly
Mel, that's why I log off Windows and boot up with Lunux Mint on USB before banking transactions.
christopher
Seems like a lot of unnecessary google-bashing to me; every app they mentioned has an iOS version, and you can be *damned* sure that whatever's in the android one exists in the iOS one too. Case in point - I reverse-engineered both the iOS and Android versions of a popular trade-show app, and succeeded in extracting all the exhibitor details from both.
They should have done both platforms at once; 20% extra effort for 200% extra impact...
p.s. I've got a seagull (and mandatory spare box of sheer-pins...)