Researchers at Columbia have urged Google to improve its vetting of content on the Play store after finding that developers frequently store secret authentication keys in the app source code, potentially exposing user data.
The research paper in question, A Measurement Study of Google Play, was written by Columbia Engineering professor of computer science, Jason Nieh, and PhD candidate Nicolas Viennot.
The two decided to investigate the potential security risks posed by content given the huge popularity of Google Play – which now lists over one million apps – and the lack of any software reviews prior to approval.
To do so they built PlayDrone, which “leverages various hacking techniques to circumvent Google’s roadblocks for indexing Google Play store content, and makes proprietary application sources available, including source code for over 880,000 free applications”.
What Nieh and Viennot found was a major security flaw in many of these apps.
“Developers often store secret authentication keys in their Android applications without realizing their credentials are easily compromised through decompilation. These secrets are publically available in Google Play,” they wrote.
“These keys can be used by malicious users to steal server resources or user data available through services such as Amazon Web Services (AWS) or Facebook. Unlike compromised applications that only affect users who download and run them these server vulnerabilities affect users without even running the applications.”
The good news is that Google appears to have taken the research on board.
“We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place,” said Viennot. “Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.”
As for PlayDrone, the researchers reckon it could be a useful tool for analyzing Google Play apps at scale and thus helping to improve the quality of content available there.
The research also found, for example, that around a quarter of all free apps on the store are actually clones.